| |
| |||||||
Log-Analyse und Auswertung: Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber MalwareverdachtWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
19.02.2014, 09:28
| #1 |
 |  Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht Nach dem Einschalten des Laptops am 17.02.204 erschien immer wieder nur noch ein Bluescreen. Ich habe nach einigen Reparaturversuchen eine Systemwiederherstellung mittels Windows7-DVD durchgeführt. Nach der Wiederherstellung konnte ich Windows7 wieder starten und mich sowohl als User als auch als Admin anmelden. Ich wollte dann sicherheitshalber als Admin (Chef) einen Virenscan über alle Dateien durchführen, dies liess sich aber nicht einstellen. Es erschien eine Fehlermeldung "Zugriff verweigert", obwohl ich die Konfiguration als administrativer User durchführte. Ein normaler Scan zeigte keine Funde. Anschließend hebe ich Logs gemäß der Beschreibung mit Defogger, FRST und GMER erstellt. Defogger disable.txt: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:41 on 18/02/2014 (chef)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Vielen Dank für Eure Unterstützung Gruss Regina |
|
19.02.2014, 10:30
| #2 |
| /// the machine /// TB-Ausbilder    | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
|
19.02.2014, 11:28
| #3 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht Hallo Schrauber,
__________________ich hatte die Logs alle schon im Thread, wurde dann aber (automatisch?) aufs zippen verwiesen. Also nochmal... FRST.txt: FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-02-2014
Ran by chef (administrator) on LAPTOP-R on 18-02-2014 21:48:19
Running from E:\
Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
(Elaborate Bytes AG) C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(PC Tools) C:\Program Files\ThreatFire\TFTray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
(shbox.de) C:\Program Files\FreePDF_XP\fpassist.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Uwe Sieber - www.uwe-sieber.de) C:\Tools\USBDLM\USBDLM_usr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
() E:\Defogger.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [] - [X]
HKLM\...\Run: [TpShocks] - C:\Windows\system32\TpShocks.exe [337256 2009-12-11] (Lenovo.)
HKLM\...\Run: [AcWin7Hlpr] - C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe [36864 2009-10-13] ()
HKLM\...\Run: [TPHOTKEY] - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [68976 2009-03-13] (Lenovo Group Limited)
HKLM\...\Run: [LENOVO.TPFNF6R] - C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe [62752 2009-08-20] (Lenovo Group Limited)
HKLM\...\Run: [VirtualCloneDrive] - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM\...\Run: [ThreatFire] - C:\Program Files\ThreatFire\TFTray.exe [378128 2011-02-22] (PC Tools)
HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [6756048 2012-11-08] (COMODO)
HKLM\...\Run: [FreePDF Assistant] - C:\Program Files\FreePDF_XP\fpassist.exe [371200 2011-02-23] (shbox.de)
HKLM\...\Run: [BMMGAG] - C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL [110592 2005-04-20] (IBM Corp.)
HKLM\...\Run: [BMMLREF] - C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE [20480 2005-04-20] ()
HKLM\...\Run: [BMMMONWND] - C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL [396288 2005-04-20] ()
HKLM\...\Run: [BLOG] - C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL [208896 2005-04-20] ()
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2379504 2013-04-24] (Synaptics Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\RunServices: [Atheros Configuration Service] - C:\Windows\syst
AppInit_DLLs: C:\Windows\system32\guard32.dll => C:\Windows\system32\guard32.dll [301264 2012-11-08] (COMODO)
Lsa: [Notification Packages] scecli ACGina
Startup: C:\Users\gini\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Sunbird.lnk
ShortcutTarget: Mozilla Sunbird.lnk -> C:\Program Files\Mozilla Sunbird\sunbird.exe (Mozilla)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.57.1
========================== Services (Whitelisted) =================
R2 AcPrfMgrSvc; C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe [124264 2009-12-11] (Lenovo)
R2 AcSvc; C:\Program Files\Lenovo\Access Connections\AcSvc.exe [255336 2009-12-11] (Lenovo)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [1990464 2012-11-08] (COMODO)
S2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [45424 2009-07-03] (Lenovo Group Limited)
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
R2 ThreatFire; C:\Program Files\ThreatFire\TFService.exe [70928 2011-02-22] (PC Tools)
R2 USBDLM; C:\Tools\USBDLM\USBDLM.exe [337888 2012-01-15] (Uwe Sieber - www.uwe-sieber.de)
S2 AntiVirWebService; "C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE" [X]
==================== Drivers (Whitelisted) ====================
S3 AR5416; C:\Windows\System32\DRIVERS\athw.sys [1347168 2009-04-03] (Atheros Communications, Inc.)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [494416 2012-11-08] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [36072 2012-11-08] (COMODO)
R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [82952 2012-11-08] (COMODO)
S3 MHIKEY10; C:\Windows\System32\Drivers\MHIKEY10.sys [52096 2010-10-01] (Generic USB smartcard reader)
S3 MSIRCOMM; C:\Windows\System32\DRIVERS\MSIRCOMM.sys [24064 2009-07-14] (Microsoft Corporation)
R3 sxuptp; C:\Windows\System32\DRIVERS\sxuptp.sys [246808 2008-09-12] (silex technology, Inc.)
R0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [51984 2011-02-22] (PC Tools)
R3 TfNetMon; C:\Windows\system32\drivers\TfNetMon.sys [33552 2011-02-22] (PC Tools)
R0 TfSysMon; C:\Windows\System32\drivers\TfSysMon.sys [69392 2011-02-22] (PC Tools)
R1 TPPWR; C:\Windows\System32\drivers\Tppwr.sys [16384 2005-04-20] (IBM Corp.)
R3 VSTHWICH; C:\Windows\System32\DRIVERS\VSTICH3.SYS [242176 2009-07-13] (Conexant Systems, Inc.)
R3 WSIMD; C:\Windows\System32\DRIVERS\wsimd.sys [57408 2008-02-08] (Atheros Communications, Inc.)
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-02-18 21:45 - 2014-02-18 21:48 - 00000000 ____D () C:\FRST
2014-02-18 21:41 - 2014-02-18 21:41 - 00000000 _____ () C:\Users\chef\defogger_reenable
2014-02-18 21:35 - 2014-02-18 21:35 - 00000326 _____ () C:\Windows\PFRO.log
2014-02-18 21:26 - 2014-02-18 21:29 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-02-17 21:40 - 2014-02-17 21:41 - 00137160 _____ () C:\Windows\Minidump\021714-31274-01.dmp
2014-02-15 11:28 - 2014-02-15 11:29 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-13 23:36 - 2014-02-13 23:37 - 00137160 _____ () C:\Windows\Minidump\021314-43332-01.dmp
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Roaming\Thunderbird
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Local\Thunderbird
2014-02-13 20:41 - 2014-02-05 09:58 - 12345344 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-13 20:41 - 2014-02-05 09:56 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-13 20:41 - 2014-02-05 09:53 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-13 20:41 - 2014-02-05 09:51 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-13 20:41 - 2014-02-05 09:50 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-13 20:41 - 2014-02-05 09:49 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-13 20:41 - 2014-02-05 09:49 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-13 20:41 - 2014-02-05 09:48 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-13 20:41 - 2014-02-05 09:47 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-13 20:41 - 2014-02-05 09:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-13 20:41 - 2014-02-05 09:47 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-13 20:41 - 2014-02-05 09:46 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-13 20:29 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-02-13 20:29 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-13 20:29 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-13 20:29 - 2013-11-27 00:29 - 05693440 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-02-13 20:26 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-13 20:26 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-02-13 20:21 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-13 20:21 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-01-21 21:30 - 2014-02-18 21:35 - 00005545 _____ () C:\Windows\setupact.log
2014-01-21 21:30 - 2014-01-21 21:30 - 00000000 _____ () C:\Windows\setuperr.log
==================== One Month Modified Files and Folders =======
2014-02-18 21:48 - 2014-02-18 21:45 - 00000000 ____D () C:\FRST
2014-02-18 21:47 - 2012-10-10 18:53 - 00000000 ____D () C:\Program Files\ThreatFire
2014-02-18 21:44 - 2012-09-29 21:15 - 01306572 _____ () C:\Windows\WindowsUpdate.log
2014-02-18 21:43 - 2009-07-14 05:34 - 00031872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-18 21:43 - 2009-07-14 05:34 - 00031872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-18 21:41 - 2014-02-18 21:41 - 00000000 _____ () C:\Users\chef\defogger_reenable
2014-02-18 21:41 - 2012-09-29 21:42 - 00000000 ____D () C:\Users\chef
2014-02-18 21:35 - 2014-02-18 21:35 - 00000326 _____ () C:\Windows\PFRO.log
2014-02-18 21:35 - 2014-01-21 21:30 - 00005545 _____ () C:\Windows\setupact.log
2014-02-18 21:35 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-18 21:29 - 2014-02-18 21:26 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-02-18 21:28 - 2013-08-25 17:51 - 00000000 ____D () C:\ProgramData\Avira
2014-02-18 19:48 - 2012-11-08 22:51 - 00000444 _____ () C:\Windows\Tasks\BMMTask.job
2014-02-18 16:24 - 2010-11-20 22:01 - 01619700 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-17 21:58 - 2013-02-20 20:08 - 00000000 ____D () C:\Users\gini
2014-02-17 21:41 - 2014-02-17 21:40 - 00137160 _____ () C:\Windows\Minidump\021714-31274-01.dmp
2014-02-17 21:40 - 2014-01-07 11:44 - 00000000 ____D () C:\Windows\Minidump
2014-02-17 21:39 - 2013-02-20 19:36 - 00000000 ____D () C:\Users\ekki
2014-02-17 21:39 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-02-17 21:39 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\registration
2014-02-16 12:20 - 2013-08-20 09:17 - 00000000 ____D () C:\Users\gini\AppData\Roaming\Audacity
2014-02-16 12:18 - 2012-10-09 21:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-15 11:29 - 2014-02-15 11:28 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-14 23:36 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-14 00:10 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\rescache
2014-02-13 23:37 - 2014-02-13 23:36 - 00137160 _____ () C:\Windows\Minidump\021314-43332-01.dmp
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Roaming\Thunderbird
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Local\Thunderbird
2014-02-13 22:31 - 2012-10-08 20:52 - 00000000 ____D () C:\Users\chef\.mucommander
2014-02-13 22:28 - 2012-12-18 22:57 - 00000947 _____ () C:\Users\Public\Desktop\Mp3tag.lnk
2014-02-13 22:28 - 2012-12-18 22:57 - 00000000 ____D () C:\Program Files\Mp3tag
2014-02-13 22:26 - 2012-12-18 22:58 - 00000000 ____D () C:\Users\chef\AppData\Roaming\Mp3tag
2014-02-13 21:57 - 2013-12-18 22:27 - 00001034 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2014-02-13 21:34 - 2012-10-10 21:00 - 00000000 ____D () C:\Users\chef\AppData\Roaming\Audacity
2014-02-13 21:24 - 2013-06-12 22:16 - 00000000 ____D () C:\Users\chef\AppData\Local\Adobe
2014-02-13 21:24 - 2012-10-09 21:46 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-13 21:24 - 2012-10-09 21:46 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-13 21:18 - 2013-11-14 22:46 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-02-13 20:58 - 2013-07-15 17:50 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-13 20:49 - 2012-10-10 22:44 - 85946576 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-02-13 20:31 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\de-DE
2014-02-13 00:10 - 2013-05-18 14:15 - 00000000 ____D () C:\Users\gini\AppData\Roaming\BOM
2014-02-10 23:22 - 2013-03-28 22:29 - 00000000 ____D () C:\Users\gini\AppData\Local\FreePDF_XP
2014-02-05 09:58 - 2014-02-13 20:41 - 12345344 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-05 09:56 - 2014-02-13 20:41 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-05 09:53 - 2014-02-13 20:41 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-05 09:51 - 2014-02-13 20:41 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-05 09:50 - 2014-02-13 20:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-05 09:49 - 2014-02-13 20:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-05 09:49 - 2014-02-13 20:41 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-05 09:48 - 2014-02-13 20:41 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-05 09:47 - 2014-02-13 20:41 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-05 09:47 - 2014-02-13 20:41 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-05 09:47 - 2014-02-13 20:41 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-05 09:46 - 2014-02-13 20:41 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-04 23:42 - 2013-03-06 19:52 - 00000000 ____D () C:\Users\gini\AppData\Roaming\vlc
2014-02-01 22:05 - 2009-07-14 05:53 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-24 21:57 - 2013-04-04 10:20 - 00000000 ____D () C:\Users\gini\.mucommander
2014-01-22 22:37 - 2013-06-10 14:23 - 00000000 ____D () C:\CardReader
2014-01-21 21:30 - 2014-01-21 21:30 - 00000000 _____ () C:\Windows\setuperr.log
2014-01-20 21:26 - 2012-09-29 22:10 - 00000000 ____D () C:\Windows\Panther
Some content of TEMP:
====================
C:\Users\ekki\AppData\Local\Temp\AskSLib.dll
C:\Users\ekki\AppData\Local\Temp\avgnt.exe
C:\Users\ekki\AppData\Local\Temp\Checkupdate.exe
C:\Users\ekki\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\ekki\AppData\Local\Temp\gcapi_dll.dll
C:\Users\ekki\AppData\Local\Temp\gtapi_signed.dll
C:\Users\gini\AppData\Local\Temp\AskSLib.dll
C:\Users\gini\AppData\Local\Temp\avgnt.exe
C:\Users\gini\AppData\Local\Temp\Checkupdate.exe
C:\Users\gini\AppData\Local\Temp\ecrinwd1.dll
C:\Users\gini\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\gini\AppData\Local\Temp\Foxit Updater.exe
C:\Users\gini\AppData\Local\Temp\gcapi_dll.dll
C:\Users\gini\AppData\Local\Temp\gtapi_signed.dll
C:\Users\gini\AppData\Local\Temp\jna5314436778881323239.dll
C:\Users\gini\AppData\Local\Temp\jna6319985011786942891.dll
C:\Users\gini\AppData\Local\Temp\jna67619801806900368.dll
C:\Users\gini\AppData\Local\Temp\jna6885078733716915831.dll
C:\Users\gini\AppData\Local\Temp\jna8462753187460255465.dll
C:\Users\gini\AppData\Local\Temp\Nokia_Suite_PCS_update.exe
C:\Users\chef\AppData\Local\Temp\avgnt.exe
C:\Users\chef\AppData\Local\Temp\Checkupdate.exe
C:\Users\chef\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\chef\AppData\Local\Temp\gcapi_dll.dll
C:\Users\chef\AppData\Local\Temp\gtapi_signed.dll
C:\Users\chef\AppData\Local\Temp\jna2717950152216819154.dll
C:\Users\chef\AppData\Local\Temp\jna928355162319514545.dll
C:\Users\chef\AppData\Local\Temp\PicasaUpdater_3221.exe
C:\Users\chef\AppData\Local\Temp\vlc-2.1.3-win32.exe
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-02-18 16:44
==================== End Of Log ============================
--- --- --- --- --- --- und Addition.txt: FRST Additions Logfile: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-02-2014
Ran by chef at 2014-02-18 21:51:16
Running from E:\
Boot Mode: Normal
==========================================================
==================== Security Center ========================
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: COMODO Defense+ (Enabled - Up to date) {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall (Enabled) {7DB03214-694B-060B-1600-BD4715C36DBB}
==================== Installed Programs ======================
7-Zip 9.20 (Version: - )
Adobe Flash Player 11 ActiveX (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (Version: 12.0.0.44 - Adobe Systems Incorporated)
Anzeige am Bildschirm (Version: 5.32.00 - )
Audacity 2.0.5 (Version: 2.0.5 - Audacity Team)
Biet-O-Matic v2.14.12 (Version: 2.14.12 - BOM Development Team)
CDex - Open Source Digital Audio CD Extractor (Version: 1.70.4.2009 - Georgy Berdyshev)
Citrix Authentication Manager (Version: 5.0.0.60597 - Citrix Systems, Inc.) Hidden
Citrix Receiver (DV) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (HDX Flash-Umleitung) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (USB) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (Version: 14.0.0.91 - Citrix Systems, Inc.)
Citrix Receiver Inside (Version: 3.4.0.45902 - Citrix Systems, Inc.) Hidden
Citrix Receiver Updater (Version: 4.0.0.45893 - Citrix Systems, Inc.) Hidden
Citrix Receiver(Aero) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
CloudReading (Version: 1.0.27.1025 - Foxit Corporation)
COMODO Internet Security (Version: 5.10.31649.2253 - COMODO Security Solutions Inc.)
Dienstprogramm "ThinkPad UltraNav" (Version: 2.13.0 - Lenovo)
ElsterFormular (Version: 14.4.12044 - Landesfinanzdirektion Thüringen)
ElsterFormular 2008/2009 (Version: 10.3.2.0 - Steuerverwaltung des Bundes und der Länder)
Foxit Reader (Version: 6.1.1.1031 - Foxit Corporation)
FreePDF (Remove only) (Version: - )
GPL Ghostscript (Version: 9.06 - Artifex Software Inc.)
IBM ThinkPad Battery MaxiMiser and Power Management Features (Version: 1.38 - )
Java 7 Update 51 (Version: 7.0.510 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
LAME v3.99.3 (for Windows) (Version: - )
Lenovo Power Management Driver (Version: 1.67.04.04 - )
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 de) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (Version: 27.0.1 - Mozilla)
Mozilla Thunderbird 24.3.0 (x86 de) (Version: 24.3.0 - Mozilla)
Mp3tag v2.58 (Version: v2.58 - Florian Heidenreich)
MSVC90_x86 (Version: 1.0.1.2 - Nokia) Hidden
muCommander (remove only) (Version: - )
MyPhoneExplorer (Version: 1.8.5 - F.J. Wechselberger)
Nokia Connectivity Cable Driver (Version: 7.1.78.0 - Nokia)
Nokia PC Suite (Version: 7.1.180.94 - Nokia)
Nokia PC Suite (Version: 7.1.180.94 - Nokia) Hidden
Online Plug-in (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
OpenOffice 4.0.1 (Version: 4.01.9714 - Apache Software Foundation)
PC Connectivity Solution (Version: 12.0.27.0 - Nokia)
Picasa 3 (Version: 3.9 - Google, Inc.)
RedMon - Redirection Port Monitor (Version: - )
Self-Service Plug-in (Version: 4.0.0.40674 - Citrix Systems, Inc.) Hidden
Sony PC Companion 2.10.165 (Version: 2.10.165 - Sony)
StreamTransport version: 1.0.2.2171 (Version: - )
SX Virtual Link (Version: 3.1.0 - silex technology, Inc.)
TeamViewer 9 (Version: 9.0.24482 - TeamViewer)
ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter (Version: 7.6.1.260b - )
ThinkPad FullScreen Magnifier (Version: 2.10 - )
ThinkPad UltraNav Driver (Version: 16.2.19.7 - )
ThinkVantage Access Connections (Version: 5.50 - Lenovo)
ThinkVantage System für aktiven Festplattenschutz (Version: 1.71 - Lenovo)
ThreatFire (Version: - PC Tools)
TightVNC (Version: 2.6.4.0 - GlavSoft LLC.)
VirtualCloneDrive (Version: - Elaborate Bytes)
VLC media player 2.1.3 (Version: 2.1.3 - VideoLAN)
Windows-Treiberpaket - Nokia Modem (02/25/2011 4.7) (Version: 02/25/2011 4.7 - Nokia)
Windows-Treiberpaket - Nokia Modem (02/25/2011 7.01.0.9) (Version: 02/25/2011 7.01.0.9 - Nokia)
Windows-Treiberpaket - Nokia pccsmcfd “LegacyDriver” (05/31/2012 7.1.2.0) (Version: 05/31/2012 7.1.2.0 - Nokia)
==================== Restore Points =========================
==================== Hosts content: ==========================
2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
Task: {32D1AD87-3DC3-4E32-9645-92358F3C7622} - System32\Tasks\BMMTask => C:\Program Files\ThinkPad\Utilities\BMMTASK.EXE [2005-04-20] ()
Task: {C9D6BC11-0F9A-48D0-8040-6D8716480C4E} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: C:\Windows\Tasks\BMMTask.job => C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
==================== Loaded Modules (whitelisted) =============
2009-12-11 10:58 - 2009-12-11 10:58 - 00655360 _____ () C:\Program Files\Lenovo\Access Connections\ACDeskBand.dll
2012-11-08 22:51 - 2005-04-20 00:38 - 00396288 _____ () C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL
==================== Safe Mode (whitelisted) ===================
==================== Disabled items from MSCONFIG ==============
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: TeamViewer8 => 2
MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
MSCONFIG\startupreg: Redirector => "C:\Program Files\Citrix\ICA Client\redirector.exe" /startup
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (02/18/2014 09:36:07 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/18/2014 04:49:41 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
Error: (02/18/2014 04:47:00 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Die abhängige Assemblierung "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
Error: (02/18/2014 04:44:18 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.
Error: (02/18/2014 04:00:20 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/17/2014 10:21:28 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
Error: (02/17/2014 10:18:53 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Die abhängige Assemblierung "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".
Error: (02/17/2014 10:16:31 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.
Error: (02/17/2014 09:50:55 PM) (Source: Windows Backup) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "\\DESKTOP-S\_Dasi\Laptop-R\" nicht abgeschlossen. Fehler: "Zum Speichern von Dateien an einer Netzwerkadresse benötigen Sie für diesen Pfad die Berechtigungsstufe "Vollzugriff". (0x8100002A)"
Error: (02/17/2014 09:42:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
System errors:
=============
Error: (02/18/2014 09:35:50 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Avira Browser-Schutz" ist von folgendem Dienst abhängig: AntiVirService. Dieser Dienst ist eventuell nicht installiert.
Error: (02/18/2014 06:52:26 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Avira Browser-Schutz" wurde mit folgendem dienstspezifischem Fehler beendet: %%4.
Error: (02/18/2014 06:16:29 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.
Error: (02/17/2014 10:15:34 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.
Error: (02/17/2014 09:41:08 PM) (Source: BugCheck) (User: )
Description: 0x0000000a (0x00000016, 0x00000002, 0x00000000, 0x82c6ecda)C:\Windows\MEMORY.DMP021714-31274-01
Error: (02/15/2014 11:11:17 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.
Error: (02/13/2014 11:44:36 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Microsoft .NET Framework NGEN v4.0.30319_X86 erreicht.
Error: (02/13/2014 11:42:38 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht.
Error: (02/13/2014 11:37:09 PM) (Source: BugCheck) (User: )
Description: 0x0000000a (0x00000016, 0x00000002, 0x00000000, 0x82c6dcda)C:\Windows\MEMORY.DMP021314-43332-01
Error: (02/13/2014 11:36:13 PM) (Source: EventLog) (User: )
Description: Das System wurde zuvor am 13.02.2014 um 23:30:45 unerwartet heruntergefahren.
Microsoft Office Sessions:
=========================
Error: (02/18/2014 09:36:07 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/18/2014 04:49:41 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Sony\sony pc companion\Drivers\DPInst64.exe
Error: (02/18/2014 04:47:00 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Nokia\Nokia PC Suite 7\TIS_Windows7PIM.dll
Error: (02/18/2014 04:44:18 PM) (Source: SideBySide)(User: )
Description: C:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dllC:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dll0
Error: (02/18/2014 04:00:20 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (02/17/2014 10:21:28 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Sony\sony pc companion\Drivers\DPInst64.exe
Error: (02/17/2014 10:18:53 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Nokia\Nokia PC Suite 7\TIS_Windows7PIM.dll
Error: (02/17/2014 10:16:31 PM) (Source: SideBySide)(User: )
Description: C:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dllC:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dll0
Error: (02/17/2014 09:50:55 PM) (Source: Windows Backup)(User: )
Description: \\DESKTOP-S\_Dasi\Laptop-R\Zum Speichern von Dateien an einer Netzwerkadresse benötigen Sie für diesen Pfad die Berechtigungsstufe "Vollzugriff". (0x8100002A)
Error: (02/17/2014 09:42:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
CodeIntegrity Errors:
===================================
Date: 2014-02-18 21:21:41.306
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-18 21:07:26.277
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-18 18:52:38.556
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-18 17:48:06.245
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-18 16:22:45.561
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-17 22:26:37.693
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-17 22:01:03.870
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-16 21:43:42.688
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-16 12:13:56.537
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
Date: 2014-02-14 00:48:49.117
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.
==================== Memory info ===========================
Percentage of memory in use: 70%
Total physical RAM: 1022.99 MB
Available physical RAM: 301.62 MB
Total Pagefile: 2046.99 MB
Available Pagefile: 1124.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.47 MB
==================== Drives ================================
Drive c: (LAPTOP-R_C) (Fixed) (Total:29.2 GB) (Free:6.25 GB) NTFS
Drive d: (LAPTOP-R_D) (Fixed) (Total:53.19 GB) (Free:26.03 GB) NTFS
Drive e: () (Removable) (Total:3.85 GB) (Free:3.32 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 89D80A4B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=29 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=53 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 4 GB) (Disk ID: A7D7004D)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)
==================== End Of Log ============================
weiteres folgt... und weiter: AVSCAN-20140218-233451-09BAF2F2.LOG: Code:
ATTFilter
Avira Free Antivirus
Erstellungsdatum der Reportdatei: Dienstag, 18. Februar 2014 23:35
Das Programm läuft als uneingeschränkte Vollversion.
Online-Dienste stehen zur Verfügung.
Lizenznehmer : Avira Antivirus Free
Seriennummer : 0000149996-AVHOE-0000001
Plattform : Windows 7 Professional
Windowsversion : (Service Pack 1) [6.1.7601]
Boot Modus : Normal gebootet
Benutzername : SYSTEM
Computername : LAPTOP-R
Versionsinformationen:
BUILD.DAT : 14.0.3.338 56624 Bytes 14.02.2014 11:00:00
AVSCAN.EXE : 14.0.3.332 1058384 Bytes 14.02.2014 10:00:47
AVSCANRC.DLL : 14.0.2.180 62008 Bytes 14.02.2014 10:00:47
LUKE.DLL : 14.0.3.336 65616 Bytes 14.02.2014 10:00:49
AVSCPLR.DLL : 14.0.3.336 124496 Bytes 14.02.2014 10:00:47
AVREG.DLL : 14.0.3.336 250448 Bytes 14.02.2014 10:00:47
avlode.dll : 14.0.3.336 544848 Bytes 14.02.2014 10:00:47
avlode.rdf : 14.0.3.26 58589 Bytes 18.02.2014 21:38:41
VBASE000.VDF : 7.11.70.0 66736640 Bytes 04.04.2013 10:00:51
VBASE001.VDF : 7.11.74.226 2201600 Bytes 30.04.2013 10:00:51
VBASE002.VDF : 7.11.80.60 2751488 Bytes 28.05.2013 10:00:51
VBASE003.VDF : 7.11.85.214 2162688 Bytes 21.06.2013 10:00:51
VBASE004.VDF : 7.11.91.176 3903488 Bytes 23.07.2013 10:00:51
VBASE005.VDF : 7.11.98.186 6822912 Bytes 29.08.2013 10:00:51
VBASE006.VDF : 7.11.103.230 2293248 Bytes 24.09.2013 10:00:51
VBASE007.VDF : 7.11.116.38 5485568 Bytes 28.11.2013 10:00:51
VBASE008.VDF : 7.11.126.50 3615744 Bytes 22.01.2014 10:00:51
VBASE009.VDF : 7.11.128.174 2030080 Bytes 03.02.2014 10:00:51
VBASE010.VDF : 7.11.128.175 2048 Bytes 03.02.2014 10:00:51
VBASE011.VDF : 7.11.128.176 2048 Bytes 03.02.2014 10:00:51
VBASE012.VDF : 7.11.128.177 2048 Bytes 03.02.2014 10:00:51
VBASE013.VDF : 7.11.128.178 2048 Bytes 03.02.2014 10:00:51
VBASE014.VDF : 7.11.129.9 211456 Bytes 04.02.2014 10:00:51
VBASE015.VDF : 7.11.129.163 215040 Bytes 06.02.2014 10:00:51
VBASE016.VDF : 7.11.130.21 220672 Bytes 08.02.2014 10:00:51
VBASE017.VDF : 7.11.130.99 230400 Bytes 10.02.2014 10:00:51
VBASE018.VDF : 7.11.130.193 195072 Bytes 11.02.2014 10:00:51
VBASE019.VDF : 7.11.131.53 285184 Bytes 13.02.2014 10:00:51
VBASE020.VDF : 7.11.131.125 154624 Bytes 14.02.2014 21:38:38
VBASE021.VDF : 7.11.131.201 194560 Bytes 15.02.2014 21:38:38
VBASE022.VDF : 7.11.132.11 233472 Bytes 17.02.2014 21:38:39
VBASE023.VDF : 7.11.132.80 415232 Bytes 18.02.2014 21:38:40
VBASE024.VDF : 7.11.132.81 2048 Bytes 18.02.2014 21:38:40
VBASE025.VDF : 7.11.132.82 2048 Bytes 18.02.2014 21:38:40
VBASE026.VDF : 7.11.132.83 2048 Bytes 18.02.2014 21:38:40
VBASE027.VDF : 7.11.132.84 2048 Bytes 18.02.2014 21:38:40
VBASE028.VDF : 7.11.132.85 2048 Bytes 18.02.2014 21:38:40
VBASE029.VDF : 7.11.132.86 2048 Bytes 18.02.2014 21:38:40
VBASE030.VDF : 7.11.132.87 2048 Bytes 18.02.2014 21:38:40
VBASE031.VDF : 7.11.132.128 108544 Bytes 18.02.2014 21:38:40
Engineversion : 8.2.14.12
AEVDF.DLL : 8.1.3.4 102774 Bytes 14.02.2014 10:00:46
AESCRIPT.DLL : 8.1.4.190 516478 Bytes 14.02.2014 10:00:46
AESCN.DLL : 8.1.10.6 131447 Bytes 14.02.2014 10:00:46
AESBX.DLL : 8.2.20.6 1331575 Bytes 14.02.2014 10:00:46
AERDL.DLL : 8.2.0.138 704888 Bytes 14.02.2014 10:00:46
AEPACK.DLL : 8.4.0.0 774520 Bytes 14.02.2014 10:00:46
AEOFFICE.DLL : 8.1.2.82 205181 Bytes 18.02.2014 21:38:41
AEHEUR.DLL : 8.1.4.918 6484346 Bytes 14.02.2014 10:00:46
AEHELP.DLL : 8.1.27.10 266618 Bytes 14.02.2014 10:00:46
AEGEN.DLL : 8.1.7.22 446839 Bytes 14.02.2014 10:00:46
AEEXP.DLL : 8.4.1.204 434552 Bytes 14.02.2014 10:00:46
AEEMU.DLL : 8.1.3.2 393587 Bytes 14.02.2014 10:00:46
AECORE.DLL : 8.1.35.0 229753 Bytes 14.02.2014 10:00:46
AEBB.DLL : 8.1.1.4 53619 Bytes 14.02.2014 10:00:46
AVWINLL.DLL : 14.0.3.252 23608 Bytes 14.02.2014 10:00:48
AVPREF.DLL : 14.0.3.252 48696 Bytes 14.02.2014 10:00:47
AVREP.DLL : 14.0.3.252 175672 Bytes 14.02.2014 10:00:47
AVARKT.DLL : 14.0.3.336 256080 Bytes 14.02.2014 10:00:46
AVEVTLOG.DLL : 14.0.3.336 165968 Bytes 14.02.2014 10:00:46
SQLITE3.DLL : 3.7.0.1 394808 Bytes 14.02.2014 10:00:50
AVSMTP.DLL : 14.0.3.252 60472 Bytes 14.02.2014 10:00:47
NETNT.DLL : 14.0.3.252 13368 Bytes 14.02.2014 10:00:49
RCIMAGE.DLL : 14.0.3.260 4979256 Bytes 14.02.2014 10:00:50
RCTEXT.DLL : 14.0.3.282 72760 Bytes 14.02.2014 10:00:50
Konfiguration für den aktuellen Suchlauf:
Job Name..............................: Vollständige Systemprüfung
Konfigurationsdatei...................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Protokollierung.......................: standard
Primäre Aktion........................: Interaktiv
Sekundäre Aktion......................: Ignorieren
Durchsuche Masterbootsektoren.........: ein
Durchsuche Bootsektoren...............: ein
Bootsektoren..........................: C:, D:,
Durchsuche aktive Programme...........: ein
Laufende Programme erweitert..........: ein
Durchsuche Registrierung..............: ein
Suche nach Rootkits...................: ein
Integritätsprüfung von Systemdateien..: aus
Prüfe alle Dateien....................: Alle Dateien
Durchsuche Archive....................: ein
Rekursionstiefe einschränken..........: 20
Archiv Smart Extensions...............: ein
Makrovirenheuristik...................: ein
Dateiheuristik........................: erweitert
Abweichende Gefahrenkategorien........: +PCK,+SPR,
Beginn des Suchlaufs: Dienstag, 18. Februar 2014 23:35
Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'HDD0(C:, D:)'
[INFO] Es wurde kein Virus gefunden!
Der Suchlauf nach versteckten Objekten wird begonnen.
Der Suchlauf über gestartete Prozesse wird begonnen:
Durchsuche Prozess 'SearchFilterHost.exe' - '35' Modul(e) wurden durchsucht
Durchsuche Prozess 'SearchProtocolHost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'cfp.exe' - '87' Modul(e) wurden durchsucht
Durchsuche Prozess 'vssvc.exe' - '53' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '125' Modul(e) wurden durchsucht
Durchsuche Prozess 'firefox.exe' - '106' Modul(e) wurden durchsucht
Durchsuche Prozess 'avcenter.exe' - '114' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'wmpnetwk.exe' - '79' Modul(e) wurden durchsucht
Durchsuche Prozess 'SYNTPHELPER.EXE' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'SynTPLpr.exe' - '28' Modul(e) wurden durchsucht
Durchsuche Prozess 'avgnt.exe' - '90' Modul(e) wurden durchsucht
Durchsuche Prozess 'jusched.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'SynTPEnh.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'SvcGuiHlpr.exe' - '75' Modul(e) wurden durchsucht
Durchsuche Prozess 'rundll32.exe' - '43' Modul(e) wurden durchsucht
Durchsuche Prozess 'rundll32.exe' - '44' Modul(e) wurden durchsucht
Durchsuche Prozess 'fpassist.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'TFTray.exe' - '50' Modul(e) wurden durchsucht
Durchsuche Prozess 'VCDDaemon.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'tpfnf6r.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'TpShocks.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'USBDLM_usr.exe' - '26' Modul(e) wurden durchsucht
Durchsuche Prozess 'Explorer.EXE' - '171' Modul(e) wurden durchsucht
Durchsuche Prozess 'Dwm.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'taskhost.exe' - '58' Modul(e) wurden durchsucht
Durchsuche Prozess 'UI0Detect.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'SearchIndexer.exe' - '63' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '46' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'AVWEBGRD.EXE' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'avshadow.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'AcSvc.exe' - '101' Modul(e) wurden durchsucht
Durchsuche Prozess 'USBDLM.exe' - '50' Modul(e) wurden durchsucht
Durchsuche Prozess 'TFService.exe' - '92' Modul(e) wurden durchsucht
Durchsuche Prozess 'TeamViewer_Service.exe' - '101' Modul(e) wurden durchsucht
Durchsuche Prozess 'avguard.exe' - '104' Modul(e) wurden durchsucht
Durchsuche Prozess 'AcPrfMgrSvc.exe' - '75' Modul(e) wurden durchsucht
Durchsuche Prozess 'TPHKSVC.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '67' Modul(e) wurden durchsucht
Durchsuche Prozess 'sched.exe' - '54' Modul(e) wurden durchsucht
Durchsuche Prozess 'spoolsv.exe' - '90' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '36' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '147' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '80' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '116' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '83' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '99' Modul(e) wurden durchsucht
Durchsuche Prozess 'cmdagent.exe' - '99' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'ibmpmsvc.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'winlogon.exe' - '40' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsm.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsass.exe' - '76' Modul(e) wurden durchsucht
Durchsuche Prozess 'services.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'wininit.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'smss.exe' - '2' Modul(e) wurden durchsucht
Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen:
Die Registry wurde durchsucht ( '3408' Dateien ).
Der Suchlauf über die ausgewählten Dateien wird begonnen:
Beginne mit der Suche in 'C:\' <LAPTOP-R_C>
Beginne mit der Suche in 'D:\' <LAPTOP-R_D>
Ende des Suchlaufs: Mittwoch, 19. Februar 2014 01:06
Benötigte Zeit: 1:30:53 Stunde(n)
Der Suchlauf wurde vollständig durchgeführt.
23172 Verzeichnisse wurden überprüft
957496 Dateien wurden geprüft
0 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
0 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
0 Dateien konnten nicht durchsucht werden
957496 Dateien ohne Befall
5824 Archive wurden durchsucht
0 Warnungen
0 Hinweise
487310 Objekte wurden beim Rootkitscan durchsucht
0 Versteckte Objekte wurden gefunden
Gruss Regina |
|
19.02.2014, 16:22
| #4 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht Hallo, und nun die Gmer.txt-Teile. gmer01_0001-0598.txt: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-02-18 22:26:10
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1200VE-00KWT0 rev.01.03K01 111,79GB
Running: Gmer-19357.exe; Driver: C:\Users\chef\AppData\Local\Temp\fxddapow.sys
---- System - GMER 2.1 ----
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x88319FB0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8831A19C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0x88319310]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0x88319C16]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0x883199CA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8831AD14]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0x88318CFC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8831A3CA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8831A746]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x883195D8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0x88319DF2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0x88319872]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8831AA32]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x88319542]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8831975E]
SSDT \SystemRoot\system32\drivers\TfSysMon.sys ZwTerminateProcess [0x87C882D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0x88318F00]
---- Kernel code sections - GMER 2.1 ----
.text ntoskrnl.exe!ZwRollbackEnlistment + 1409 82C399A5 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C59512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 139F 82C60994 4 Bytes [B0, 9F, 31, 88]
.text ntoskrnl.exe!KeRemoveQueueEx + 13C7 82C609BC 4 Bytes [9C, A1, 31, 88]
.text ntoskrnl.exe!KeRemoveQueueEx + 145B 82C60A50 4 Bytes JMP B4591AD7
.text ntoskrnl.exe!KeRemoveQueueEx + 1477 82C60A6C 4 Bytes [16, 9C, 31, 88]
.text ntoskrnl.exe!KeRemoveQueueEx + 14BF 82C60AB4 4 Bytes [CA, 99, 31, 88]
.text ...
---- User code sections - GMER 2.1 ----
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 003CB670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtClose 77C85508 5 Bytes JMP 003BD120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [59, 71]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [71, 71] {JNO 0x73}
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 003BD240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 003C7F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 003C5070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 003C5C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 003C3BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F1000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70EB000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7112000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BB000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A3000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7109000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70BE000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A6000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7085000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7088000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D6000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F7000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E2000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 710C000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 714B000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C1000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710F000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7118000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7115000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7094000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B5000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D3000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7145000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70B8000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 716F000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 708B000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7148000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F4000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 708E000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70D9000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 716C000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7091000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70EE000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7178000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 715D000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D0000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 003C8D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 003C8AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 003C9E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 003C9D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [4D, 71]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7100000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7166000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FD000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AC000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70A9000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F9, 70]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7151000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7169000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70AF000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7097000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B2000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709A000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [62, 71]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7160000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7175000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7103000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7136000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 713C000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7124000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 709D000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7142000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 712A000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7127000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7139000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7133000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7106000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70CA000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713F000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C4000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70C7000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70CD000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [20, 71]
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712D000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 711B000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711E000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7130000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7154000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A0000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 003C44D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7157000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7181000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E5000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717B000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 717E000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7184000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E8000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70DF000A
.text C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70DC000A
.text C:\Windows\system32\csrss.exe[460] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 75E21BA0 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePort 77C86458 5 Bytes JMP 75E21450 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePortEx 77C86468 5 Bytes JMP 75E217F0 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5A, 71]
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [75, 71] {JNZ 0x73}
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F0000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70EA000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7111000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C0000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A8000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7108000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C3000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70AB000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 708A000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708D000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70DB000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F6000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E1000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 710B000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 714A000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C6000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710E000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7117000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7114000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7099000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70BA000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D8000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7144000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BD000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7173000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7090000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7147000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F3000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7093000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DE000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7170000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7096000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExA 7683CDA1 4 Bytes JMP EC001E25
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExA + 5 7683CDA6 1 Byte [70]
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717C000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 715E000A
.text C:\Windows\system32\wininit.exe[512] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D5000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!RegisterRawInputDevices 76635B52 5 Bytes JMP 10018F00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70FF000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SystemParametersInfoA 766380E0 7 Bytes JMP 1001C690 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetParent 76638314 5 Bytes JMP 10018980 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!EnableWindow 76638D02 5 Bytes JMP 10017EA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!MoveWindow 76638D29 5 Bytes JMP 10018C20 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetAsyncKeyState 7663A256 5 Bytes JMP 10019120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!RegisterHotKey 7663AA19 5 Bytes JMP 10018140 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!PostThreadMessageA 7663AD09 5 Bytes JMP 1001B980 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageA 7663AD60 5 Bytes JMP 1001B440 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!PostMessageA 7663B446 5 Bytes JMP 1001BEC0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FC000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B1000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendNotifyMessageW 7663C88A 5 Bytes JMP 1001A160 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SystemParametersInfoW 7663E09A 7 Bytes JMP 1001C470 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExW 7663E30C 5 Bytes JMP 1001C8B0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageTimeoutW 7663E459 5 Bytes JMP 1001AC20 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AE000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!PostThreadMessageW 7663EEFC 5 Bytes JMP 1001B6E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[512] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F8, 70]
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWinEventHook 766424DC 5 Bytes JMP 1001C160 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetKeyState 76642B4D 5 Bytes JMP 100193D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageCallbackW 76642F7B 5 Bytes JMP 1001A6A0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!PostMessageW 7664447B 5 Bytes JMP 1001BC20 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageW 76645539 5 Bytes JMP 1001B1A0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B4000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709C000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetClipboardData 76652BA7 5 Bytes JMP 10018370 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendNotifyMessageA 7665493C 5 Bytes JMP 1001A400 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!mouse_event 76656209 5 Bytes JMP 100297C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetClipboardViewer 76656FF6 5 Bytes JMP 10018780 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendDlgItemMessageW 766570D8 5 Bytes JMP 10019C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendDlgItemMessageA 76657241 5 Bytes JMP 10019EB0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B7000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709F000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!GetKeyboardState 76666946 5 Bytes JMP 10019680 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!BlockInput 76666A99 5 Bytes JMP 10018580 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExA 76666D0C 5 Bytes JMP 1001CB20 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageTimeoutA 76666DA9 5 Bytes JMP 1001AEE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendInput 76667019 5 Bytes JMP 10019930 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7161000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7179000A
.text C:\Windows\system32\wininit.exe[512] USER32.dll!ExitWindowsEx 766806C7 5 Bytes JMP 10017C90 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!keybd_event 7668EC3B 5 Bytes JMP 100299D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageCallbackA 76693E8B 5 Bytes JMP 1001A960 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!BitBlt 77DF72C0 5 Bytes JMP 10029530 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!MaskBlt 77DFC7AD 5 Bytes JMP 10029280 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!StretchBlt 77DFF467 5 Bytes JMP 10028D50 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] GDI32.dll!PlgBlt 77E1026A 5 Bytes JMP 10028FF0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7102000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7135000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 713B000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7123000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A2000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7141000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7129000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7126000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7138000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7132000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7105000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70CF000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713E000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C9000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CC000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D2000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [1F, 71]
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712C000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 711A000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711D000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 712F000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7155000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A5000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7158000A
.text C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7185000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E4000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717F000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7182000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7188000A
.text C:\Windows\system32\wininit.exe[512] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E7000A
.text C:\Windows\system32\csrss.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 75E21BA0 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePort 77C86458 5 Bytes JMP 75E21450 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePortEx 77C86468 5 Bytes JMP 75E217F0 C:\Windows\system32\cmdcsr.dll
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 7150000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 714A000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7171000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 7120000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7108000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7168000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 7123000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 710B000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 70EA000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExW 767F8DF8 4 Bytes JMP EC001E25
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExW + 5 767F8DFD 1 Byte [70]
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 713B000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 7156000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 7141000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 716B000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 71AE000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 7126000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 716E000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7177000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7174000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70F9000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 711A000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 7138000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 71A4000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 711D000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 70F0000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 71A7000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 7153000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 70F3000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 713E000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 70F6000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 714D000A
.text C:\Windows\system32\winlogon.exe[556] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 7135000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 715F000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 715C000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 7111000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 710E000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [58, 71]
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 7114000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70FC000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 7117000A
.text C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70FF000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7162000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7195000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 719B000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7183000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 7102000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 71A1000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7189000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7186000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7198000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7192000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7165000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 712F000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 719E000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 7129000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 712C000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 7132000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [7F, 71] {JG 0x73}
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 718C000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 717A000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 717D000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 718F000A
.text C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7105000A
.text C:\Windows\system32\winlogon.exe[556] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 7144000A
.text C:\Windows\system32\winlogon.exe[556] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 7147000A
.text C:\Windows\system32\services.exe[596] services.exe 00111608 4 Bytes [20, E2, 01, 10] {AND DL, AH; ADD [EAX], EDX}
.text C:\Windows\system32\services.exe[596] services.exe 00111618 4 Bytes [00, DD, 01, 10] {ADD CH, BL; ADD [EAX], EDX}
.text C:\Windows\system32\services.exe[596] services.exe 00111638 4 Bytes [40, E5, 01, 10]
.text C:\Windows\system32\services.exe[596] services.exe 00111648 4 Bytes [80, DF, 01, 10]
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\services.exe[596] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\services.exe[596] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\services.exe[596] RPCRT4.dll!RpcServerRegisterIfEx 764608A4 5 Bytes JMP 1001F870 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\services.exe[596] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\services.exe[596] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\services.exe[596] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\services.exe[596] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\services.exe[596] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\services.exe[596] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\services.exe[596] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\services.exe[596] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\services.exe[596] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\services.exe[596] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\services.exe[596] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\services.exe[596] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\services.exe[596] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\services.exe[596] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\services.exe[596] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [59, 71]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [71, 71] {JNO 0x73}
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F1000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70EB000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7112000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C1000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A9000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7109000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C4000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70AC000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 708B000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708E000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70DC000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F7000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E2000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 710C000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 714B000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C7000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710F000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7118000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7115000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 709A000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70BB000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D9000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7145000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BE000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 716F000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7091000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7148000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F4000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7094000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DF000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 716C000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7097000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70EE000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7178000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 715D000A
.text C:\Windows\system32\lsass.exe[612] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D6000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [4D, 71]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7100000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7166000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FD000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B2000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AF000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F9, 70]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7151000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7169000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B5000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709D000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B8000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A0000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [62, 71]
.text C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7160000A
.text C:\Windows\system32\lsass.exe[612] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7175000A
.text C:\Windows\system32\lsass.exe[612] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7103000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7136000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 713C000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7124000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A3000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7142000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 712A000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7127000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7139000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7133000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7106000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D0000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713F000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70CA000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CD000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D3000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [20, 71]
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712D000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 711B000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711E000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7130000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7154000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A6000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7157000A
.text C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7181000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E5000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717B000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 717E000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\lsass.exe[612] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E8000A
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
|
|
19.02.2014, 16:34
| #5 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer02_0599-1195.txt: Code:
ATTFilter .text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\lsm.exe[620] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\lsm.exe[620] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\lsm.exe[620] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\lsm.exe[620] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BA000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A2000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70BD000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A5000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 707F000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7082000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D5000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C0000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 708E000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B4000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D2000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70B7000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7085000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7088000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 708B000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[748] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70CF000A
.text C:\Windows\system32\svchost.exe[748] RPCRT4.dll!RpcServerRegisterIfEx 764608A4 5 Bytes JMP 1001F870 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AB000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70A8000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70AE000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B1000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7099000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[748] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[748] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 709C000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70C9000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C3000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70C6000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70CC000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 709F000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[748] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[868] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[868] RPCRT4.dll!RpcServerRegisterIfEx 764608A4 5 Bytes JMP 1001F870 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[868] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[868] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[868] rpcss.dll!CoGetComCatalog 752535EC 8 Bytes JMP EDF01001
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[868] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text E:\FRST.exe[884] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text E:\FRST.exe[884] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text E:\FRST.exe[884] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text E:\FRST.exe[884] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text E:\FRST.exe[884] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text E:\FRST.exe[884] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C1000A
.text E:\FRST.exe[884] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A9000A
.text E:\FRST.exe[884] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text E:\FRST.exe[884] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text E:\FRST.exe[884] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C4000A
.text E:\FRST.exe[884] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70AC000A
.text E:\FRST.exe[884] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 708B000A
.text E:\FRST.exe[884] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708E000A
.text E:\FRST.exe[884] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70DC000A
.text E:\FRST.exe[884] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text E:\FRST.exe[884] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text E:\FRST.exe[884] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text E:\FRST.exe[884] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text E:\FRST.exe[884] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C7000A
.text E:\FRST.exe[884] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text E:\FRST.exe[884] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text E:\FRST.exe[884] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text E:\FRST.exe[884] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text E:\FRST.exe[884] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 709A000A
.text E:\FRST.exe[884] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70BB000A
.text E:\FRST.exe[884] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text E:\FRST.exe[884] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D9000A
.text E:\FRST.exe[884] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text E:\FRST.exe[884] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BE000A
.text E:\FRST.exe[884] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text E:\FRST.exe[884] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7091000A
.text E:\FRST.exe[884] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text E:\FRST.exe[884] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text E:\FRST.exe[884] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7094000A
.text E:\FRST.exe[884] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DF000A
.text E:\FRST.exe[884] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text E:\FRST.exe[884] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text E:\FRST.exe[884] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7097000A
.text E:\FRST.exe[884] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text E:\FRST.exe[884] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text E:\FRST.exe[884] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text E:\FRST.exe[884] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text E:\FRST.exe[884] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D6000A
wenn ich mein Gmer-File mit anderen Posts vergleiche erscheint mir die Größe etwas unheimlich. Bevor ich noch weitere Teilstücke hochlade, warte ich auf eine Rückmeldung. Gruß Regina |
|
20.02.2014, 14:10
| #6 |
| /// the machine /// TB-Ausbilder | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht Gmer kann schon riesig sein. Bitte komplett posten.
__________________ --> Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht |
|
21.02.2014, 23:03
| #7 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht dann weiter: gmer03_1196-1803.txt Code:
ATTFilter .text E:\FRST.exe[884] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A3000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text E:\FRST.exe[884] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text E:\FRST.exe[884] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D0000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text E:\FRST.exe[884] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70CA000A
.text E:\FRST.exe[884] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CD000A
.text E:\FRST.exe[884] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D3000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text E:\FRST.exe[884] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text E:\FRST.exe[884] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A6000A
.text E:\FRST.exe[884] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text E:\FRST.exe[884] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text E:\FRST.exe[884] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text E:\FRST.exe[884] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text E:\FRST.exe[884] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text E:\FRST.exe[884] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text E:\FRST.exe[884] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text E:\FRST.exe[884] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B2000A
.text E:\FRST.exe[884] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text E:\FRST.exe[884] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AF000A
.text E:\FRST.exe[884] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text E:\FRST.exe[884] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text E:\FRST.exe[884] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text E:\FRST.exe[884] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B5000A
.text E:\FRST.exe[884] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709D000A
.text E:\FRST.exe[884] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B8000A
.text E:\FRST.exe[884] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A0000A
.text E:\FRST.exe[884] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text E:\FRST.exe[884] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text E:\FRST.exe[884] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text E:\FRST.exe[884] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text E:\FRST.exe[884] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text E:\FRST.exe[884] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text E:\FRST.exe[884] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text E:\FRST.exe[884] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text E:\FRST.exe[884] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text E:\FRST.exe[884] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text E:\FRST.exe[884] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text E:\FRST.exe[884] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70E5000A
.text E:\FRST.exe[884] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70E2000A
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] ntdll.dll!NtAllocateVirtualMemory 77C85318 5 Bytes JMP 00534850 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] ntdll.dll!NtCreateFile 77C85608 5 Bytes JMP 0054ECA0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [4A, 71]
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [75, 71] {JNZ 0x73}
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 707C000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 707F000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 705E000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7061000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 706D000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 708E000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7160000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7064000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7067000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 706A000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717C000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[1028] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [3E, 71]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 7085000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 7082000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [CC, 70]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 7088000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7070000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 708B000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7073000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[1028] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7179000A
.text C:\Windows\system32\svchost.exe[1028] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7127000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueA 7671CDB2 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 7076000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [F3, 70]
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7079000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7185000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717F000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7182000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7188000A
.text C:\Windows\system32\svchost.exe[1028] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70BB000A
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\svchost.exe[1080] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\svchost.exe[1080] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\svchost.exe[1080] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\svchost.exe[1080] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [4D, 71]
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70E5000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70DF000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7106000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70B5000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 709B000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 70FD000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70B8000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 709E000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 707D000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7080000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D0000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70EB000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70D6000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7100000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 713F000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70BB000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7103000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 710C000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7109000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 708C000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70AD000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70CD000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7139000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70B2000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7083000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 713C000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70E8000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7086000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70D3000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7089000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\svchost.exe[1112] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70CA000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [41, 71]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70F4000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70F1000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70A4000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70A1000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [ED, 70]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7145000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70A7000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 708F000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70AA000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7092000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\svchost.exe[1112] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\svchost.exe[1112] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70F7000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 712A000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7130000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7118000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 7095000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7136000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 711E000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 711B000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 712D000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7127000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 70FA000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70C4000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7133000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70BE000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70C1000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70C7000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [14, 71] {ADC AL, 0x71}
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7121000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 710F000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7112000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7124000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7148000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7098000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 714B000A
.text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70D9000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [54, 71]
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70EC000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70E6000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 710D000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70B0000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7098000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7104000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70B3000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 709B000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 707A000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 707D000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D7000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F2000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70DD000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7107000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7146000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70B6000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710A000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7113000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7110000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7089000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70AA000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70C8000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7140000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70AD000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7080000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7143000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70EF000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7083000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DA000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7086000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70E9000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7158000A
.text C:\Windows\system32\svchost.exe[1152] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70C5000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [48, 71]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70FB000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7161000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70F8000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70A1000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 709E000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F4, 70]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 714C000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70A4000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 708C000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70A7000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 708F000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [5D, 71]
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 715B000A
.text C:\Windows\system32\svchost.exe[1152] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[1152] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70FE000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7131000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7137000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 711F000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 7092000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 713D000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7125000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7122000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7134000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 712E000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7101000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70BF000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713A000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70B9000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70BC000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70C2000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [1B, 71]
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7128000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7116000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7119000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 712B000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 714F000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7095000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7152000A
.text C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E0000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1152] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E3000A
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [46, 71]
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [5E, 71]
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70C9000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70C3000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 4 Bytes JMP FE001E25
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateToolhelp32Snapshot + 5 767EFD2E 1 Byte [70]
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 704C000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7034000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 7196000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 70F6000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 704F000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 7037000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7014000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7017000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70B4000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70E4000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70BA000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 70F9000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7138000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 7052000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 7190000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 70FC000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7105000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7102000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7023000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 7046000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 718D000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70B1000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7132000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 7049000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 715C000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 701A000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7135000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70D4000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 701D000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70B7000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 7193000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7159000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7020000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70C6000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7165000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71A0000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 714A000A
.text C:\Windows\system32\svchost.exe[1176] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70AE000A
.text C:\Windows\system32\svchost.exe[1176] RPCRT4.dll!RpcServerRegisterIfEx 764608A4 5 Bytes JMP 1001F870 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [3A, 71]
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70ED000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7153000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70EA000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 703D000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 703A000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [E6, 70] {OUT 0x70, AL}
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 713E000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7156000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 7040000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7026000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 7043000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7029000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [4F, 71]
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 714D000A
.text C:\Windows\system32\svchost.exe[1176] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7162000A
.text C:\Windows\system32\svchost.exe[1176] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70F0000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7123000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7129000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7111000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 702E000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 712F000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7117000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7114000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7126000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7120000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 70F3000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 706F000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 712C000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 7055000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 706C000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 7096000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [0D, 71]
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 711A000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7108000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 710B000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 711D000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7141000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7031000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7144000A
.text C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 7199000A
|
|
21.02.2014, 23:05
| #8 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer04_1804-2359.txt Code:
ATTFilter .text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 716E000A
.text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70BD000A
.text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7168000A
.text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 716B000A
.text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7171000A
.text C:\Windows\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70C0000A
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[1272] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[1272] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[1272] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[1308] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[1308] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1308] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BF000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A6000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C2000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A9000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7088000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708B000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C5000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7097000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B9000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BC000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 708E000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7091000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7094000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AF000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AC000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B3000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709A000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B6000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709D000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\spoolsv.exe[1608] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A0000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C8000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A3000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [4A, 71]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [62, 71]
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70AB000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7093000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70AE000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 7096000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7075000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7078000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70C6000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70B1000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 718C000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7100000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7084000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70A5000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 7189000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70C3000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70A8000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7160000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 707B000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 707E000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70C9000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 7190000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7081000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7169000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70C0000A
.text C:\Windows\system32\svchost.exe[1644] RPCRT4.dll!RpcServerRegisterIfEx 764608A4 5 Bytes JMP 1001F870 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [3E, 71]
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 709C000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7183000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 7099000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 709F000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7087000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70A2000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 708A000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7186000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[1644] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[1644] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7127000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 708D000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70BA000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70B4000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70B7000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70BD000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [11, 71]
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7090000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[1644] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70D9000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
|
|
21.02.2014, 23:06
| #9 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer05_2360-2925.txt Code:
ATTFilter .text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 003BB670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtClose 77C85508 5 Bytes JMP 003AD120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [59, 71]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [71, 71] {JNO 0x73}
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 003AD240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 003B7F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 003B5070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 003B5C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 003B3BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F1000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70EB000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7112000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BB000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A3000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7109000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70BE000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A6000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7085000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7088000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D6000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F7000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E2000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 710C000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 714B000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C1000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710F000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7118000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7115000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7094000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B5000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D3000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7145000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70B8000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 716F000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 708B000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7148000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F4000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 708E000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70D9000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 716C000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7091000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70EE000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7178000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 715D000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D0000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 003B8D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 003B8AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 003B9E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 003B9D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [4D, 71]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7100000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7166000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FD000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AC000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70A9000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F9, 70]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7151000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7169000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70AF000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7097000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B2000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709A000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [62, 71]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7160000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7175000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7103000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7136000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 713C000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7124000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 709D000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7142000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 712A000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7127000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7139000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7133000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7106000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70CA000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713F000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C4000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70C7000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70CD000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [20, 71]
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712D000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 711B000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711E000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7130000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7154000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A0000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 003B44D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7157000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7181000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E5000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717B000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 717E000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7184000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E8000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70DF000A
.text C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7088000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708B000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 708E000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[1860] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F6, 70]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[1860] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[1860] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7100000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7127000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [1D, 71]
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[1860] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E5000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 7077000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 7071000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7098000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 7041000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7029000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 708F000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 7044000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 702C000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 700B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 700E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 705C000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 707D000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 7068000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7092000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 7047000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7095000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 709E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 709B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 701A000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 703B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 7059000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 703E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7011000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 707A000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7014000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 705F000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7017000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 7074000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 7056000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7089000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 70BC000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 70C2000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueA 7671CDB2 6 Bytes JMP 70AA000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 7023000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 70B0000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 70AD000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 70BF000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 70B9000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 708C000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 7050000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 70C5000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 704A000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 704D000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 7053000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [A6, 70]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 70B3000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 70A1000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 70A4000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 70B6000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 7026000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7086000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7083000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 7032000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 702F000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [7F, 70] {JG 0x72}
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 7035000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 701D000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 7038000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7020000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 7065000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 7062000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 706B000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 706E000A
.text C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 0031B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!NtClose 77C85508 5 Bytes JMP 0030D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 0030D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 00317F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 00315070 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 00315C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 00313BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 00318D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 00318AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 00319E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 00319D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFService.exe[1944] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 003144D0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[2144] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[2144] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[2144] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[2144] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
|
|
21.02.2014, 23:07
| #10 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer06_2926-3479.txt Code:
ATTFilter .text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 003DB670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtClose 77C85508 5 Bytes JMP 003CD120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [59, 71]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [71, 71] {JNO 0x73}
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 003CD240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 003D7F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 003D5070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 003D5C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 003D3BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F1000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70EB000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7112000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70BB000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A3000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7109000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70BE000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70A6000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7085000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7088000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70D6000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70F7000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E2000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 710C000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 714B000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C1000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 710F000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7118000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 7115000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7094000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70B5000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D3000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 7145000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70B8000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 716F000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 708B000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7148000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70F4000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 708E000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70D9000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 716C000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7091000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70EE000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7178000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 715D000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D0000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 003D8D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 003D8AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 003D9E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 003D9D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [4D, 71]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7100000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 7166000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70FD000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70AC000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70A9000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [F9, 70]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7151000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7169000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70AF000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7097000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B2000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 709A000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [62, 71]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7160000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!EndTask 7667FD66 6 Bytes JMP 7175000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7103000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 7136000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 713C000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 7124000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 709D000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7142000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 712A000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7127000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7139000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7133000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 7106000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70CA000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 713F000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70C4000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70C7000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70CD000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [20, 71]
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 712D000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 711B000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 711E000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7130000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 7154000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A0000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 003D44D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 7157000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7181000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70E5000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 717B000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 717E000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 7184000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70E8000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70DF000A
.text C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70DC000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text E:\Gmer-19357.exe[2612] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text E:\Gmer-19357.exe[2612] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text E:\Gmer-19357.exe[2612] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text E:\Gmer-19357.exe[2612] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text E:\Gmer-19357.exe[2612] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text E:\Gmer-19357.exe[2612] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text E:\Gmer-19357.exe[2612] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text E:\Gmer-19357.exe[2612] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text E:\Gmer-19357.exe[2612] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text E:\Gmer-19357.exe[2612] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text E:\Gmer-19357.exe[2612] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text E:\Gmer-19357.exe[2612] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text E:\Gmer-19357.exe[2612] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text E:\Gmer-19357.exe[2612] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text E:\Gmer-19357.exe[2612] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text E:\Gmer-19357.exe[2612] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text E:\Gmer-19357.exe[2612] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text E:\Gmer-19357.exe[2612] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text E:\Gmer-19357.exe[2612] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text E:\Gmer-19357.exe[2612] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text E:\Gmer-19357.exe[2612] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text E:\Gmer-19357.exe[2612] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text E:\Gmer-19357.exe[2612] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\explorer.exe[3028] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\explorer.exe[3028] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\explorer.exe[3028] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\explorer.exe[3028] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\explorer.exe[3028] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\explorer.exe[3028] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\explorer.exe[3028] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\explorer.exe[3028] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\explorer.exe[3028] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\explorer.exe[3028] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\explorer.exe[3028] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\explorer.exe[3028] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\explorer.exe[3028] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\explorer.exe[3028] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\explorer.exe[3028] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\explorer.exe[3028] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\explorer.exe[3028] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\explorer.exe[3028] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\explorer.exe[3028] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\explorer.exe[3028] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\explorer.exe[3028] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\explorer.exe[3028] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\explorer.exe[3028] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\explorer.exe[3028] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\explorer.exe[3028] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 708E000A
.text C:\Windows\explorer.exe[3028] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 708B000A
|
|
21.02.2014, 23:08
| #11 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer07_3480-4033.txt Code:
ATTFilter .text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\svchost.exe[3232] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\svchost.exe[3232] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\svchost.exe[3232] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\svchost.exe[3232] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\svchost.exe[3308] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\svchost.exe[3308] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\svchost.exe[3308] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\svchost.exe[3308] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\svchost.exe[3308] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 708E000A
.text C:\Windows\System32\svchost.exe[3308] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 708B000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\taskhost.exe[3624] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\taskhost.exe[3624] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\taskhost.exe[3624] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 708E000A
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 708B000A
|
|
21.02.2014, 23:09
| #12 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer08_4034-4585.txt Code:
ATTFilter .text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70DA000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70D4000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 70FB000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70AA000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 7092000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 70F2000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70AD000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 7095000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7074000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7077000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70C5000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70E0000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70CB000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 70F5000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70B0000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 70F8000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7101000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 70FE000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 7083000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70A4000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70C2000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70A7000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 707A000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70DD000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 707D000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70C8000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7080000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70D7000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\Dwm.exe[3784] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70BF000A
.text C:\Windows\system32\Dwm.exe[3784] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 70E9000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 70E6000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 709B000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 7098000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [E2, 70] {LOOP 0x72}
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 709E000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 7086000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70A1000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 7089000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\Dwm.exe[3784] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 70EC000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 711F000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7125000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 710D000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 708C000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7113000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 7110000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7122000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 711C000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 70EF000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70B9000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70B3000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70B6000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70BC000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [09, 71]
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7116000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7104000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7107000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7119000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 708F000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70CE000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70D1000A
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\Explorer.EXE[3812] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\Explorer.EXE[3812] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\Explorer.EXE[3812] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 708E000A
.text C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 708B000A
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\TpShocks.exe[3932] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
|
|
21.02.2014, 23:11
| #13 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer09_4586-5141.txt Code:
ATTFilter .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 0026B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtClose 77C85508 5 Bytes JMP 0025D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 0025D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 00267F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 00265070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 00265C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 00263BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 002644D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 00268D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 00268AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 00269E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 00269D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 0021B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!NtClose 77C85508 5 Bytes JMP 0020D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 0020D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 00217F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 00215070 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 00215C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 00213BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 00218D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 00218AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 00219E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 00219D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\ThreatFire\TFTray.exe[3980] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 002144D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtAllocateVirtualMemory 77C85318 1 Byte [E9]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtAllocateVirtualMemory 77C85318 5 Bytes JMP 00780630 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [62, 71]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [7A, 71] {JP 0x73}
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateProcessW 767B204D 6 Bytes JMP 718F001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateProcessA 767B2082 6 Bytes JMP 7192001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F9001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F3001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 711A001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C3001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AB001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 7111001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C6001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70AE001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 708D001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7090001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70DE001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FF001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70EA001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7114001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7153001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C9001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7117001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 7120001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711D001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 709C001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70BD001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DB001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714D001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C0001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7177001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7093001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 7150001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FC001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7096001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E1001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7174001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7099001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F6001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 7180001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7165001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D8001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [56, 71]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7108001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716E001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7105001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B4001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B1001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [02, 71]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7159001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 7171001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B7001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709F001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BA001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A2001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [6B, 71]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7168001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717D001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7189001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70ED001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7183001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7186001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718C001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70F0001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 710B001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713E001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7144001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712C001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A5001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 714A001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7132001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712F001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 7141001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 713B001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710E001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D2001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7147001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70CC001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CF001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D5001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [29, 71]
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7135001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7123001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7126001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7138001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715C001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A8001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715F001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70E7001E
.text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70E4001E
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\rundll32.exe[4032] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\rundll32.exe[4032] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\rundll32.exe[4032] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\System32\rundll32.exe[4052] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\System32\rundll32.exe[4052] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\System32\rundll32.exe[4052] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
|
|
21.02.2014, 23:12
| #14 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer10_5142-5583.txt Code:
ATTFilter .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C1000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70A9000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70C4000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70AC000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 708B000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 708E000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70DC000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70C7000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 709A000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70BB000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70D9000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70BE000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7091000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 7094000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70DF000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 7097000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70D6000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A3000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D0000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70CA000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70CD000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D3000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70A6000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B2000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70AF000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70B5000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 709D000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70B8000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A0000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] WININET.dll!InternetOpenUrlA 7696E1C6 6 Bytes JMP 70E5000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] WININET.dll!InternetOpenUrlW 769CDC08 6 Bytes JMP 70E2000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\notepad.exe[4420] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\notepad.exe[4420] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\notepad.exe[4420] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\notepad.exe[4420] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text E:\Defogger.exe[4716] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text E:\Defogger.exe[4716] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text E:\Defogger.exe[4716] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text E:\Defogger.exe[4716] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text E:\Defogger.exe[4716] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text E:\Defogger.exe[4716] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text E:\Defogger.exe[4716] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text E:\Defogger.exe[4716] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text E:\Defogger.exe[4716] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text E:\Defogger.exe[4716] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text E:\Defogger.exe[4716] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text E:\Defogger.exe[4716] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text E:\Defogger.exe[4716] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text E:\Defogger.exe[4716] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text E:\Defogger.exe[4716] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text E:\Defogger.exe[4716] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text E:\Defogger.exe[4716] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text E:\Defogger.exe[4716] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text E:\Defogger.exe[4716] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text E:\Defogger.exe[4716] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text E:\Defogger.exe[4716] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text E:\Defogger.exe[4716] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text E:\Defogger.exe[4716] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text E:\Defogger.exe[4716] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text E:\Defogger.exe[4716] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text E:\Defogger.exe[4716] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text E:\Defogger.exe[4716] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text E:\Defogger.exe[4716] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text E:\Defogger.exe[4716] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text E:\Defogger.exe[4716] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text E:\Defogger.exe[4716] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text E:\Defogger.exe[4716] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text E:\Defogger.exe[4716] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text E:\Defogger.exe[4716] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text E:\Defogger.exe[4716] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] ADVAPI32.DLL!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text E:\Defogger.exe[4716] ADVAPI32.DLL!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text E:\Defogger.exe[4716] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text E:\Defogger.exe[4716] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text E:\Defogger.exe[4716] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text E:\Defogger.exe[4716] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text E:\Defogger.exe[4716] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text E:\Defogger.exe[4716] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text E:\Defogger.exe[4716] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text E:\Defogger.exe[4716] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text E:\Defogger.exe[4716] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text E:\Defogger.exe[4716] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text E:\Defogger.exe[4716] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text E:\Defogger.exe[4716] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text E:\Defogger.exe[4716] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text E:\Defogger.exe[4716] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text E:\Defogger.exe[4716] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text E:\Defogger.exe[4716] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text E:\Defogger.exe[4716] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text E:\Defogger.exe[4716] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text E:\Defogger.exe[4716] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text E:\Defogger.exe[4716] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text E:\Defogger.exe[4716] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text E:\Defogger.exe[4716] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
|
|
21.02.2014, 23:24
| #15 |
| | Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht gmer11_5584-5934.txt Code:
ATTFilter .text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\conhost.exe[4732] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\conhost.exe[4732] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\conhost.exe[4732] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\conhost.exe[4732] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\UI0Detect.exe[4824] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtAlpcSendWaitReceivePort 77C85458 5 Bytes JMP 1002B670 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtClose 77C85508 5 Bytes JMP 1001D120 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtLoadDriver 77C85B98 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtLoadDriver + 4 77C85B9C 2 Bytes [5F, 71]
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtSuspendProcess 77C868C8 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!NtSuspendProcess + 4 77C868CC 2 Bytes [77, 71] {JA 0x73}
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!LdrUnloadDll 77C9C8DE 7 Bytes JMP 1001D240 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] ntdll.dll!LdrLoadDll 77CA22AE 5 Bytes JMP 10027F40 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateProcessW 767B204D 5 Bytes JMP 10025070 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateProcessA 767B2082 5 Bytes JMP 10025C00 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateProcessAsUserW 767E59FF 5 Bytes JMP 10023BA0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CopyFileW 767E6B3F 6 Bytes JMP 70F7000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CopyFileExW 767EB280 6 Bytes JMP 70F1000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateToolhelp32Snapshot 767EFD29 6 Bytes JMP 7118000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!OpenMutexA 767F0412 6 Bytes JMP 70C7000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!DeleteFileW 767F1737 6 Bytes JMP 70AF000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!TerminateProcess 767F2C05 6 Bytes JMP 71A4000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!VirtualProtect 767F2C15 6 Bytes JMP 710F000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateMutexW 767F33D6 6 Bytes JMP 70CA000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!DeleteFileA 767F43CA 6 Bytes JMP 70B2000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!OpenProcess 767F54E7 6 Bytes JMP 7091000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!MoveFileExW 767F8DF8 6 Bytes JMP 7094000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateDirectoryW 767F99D1 6 Bytes JMP 70E2000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!LoadResource 767F9CBA 6 Bytes JMP 70FD000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!DeviceIoControl 767FB96D 6 Bytes JMP 70E8000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!VirtualAlloc 767FC42A 6 Bytes JMP 7112000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!GetProcAddress 767FCC84 6 Bytes JMP 7151000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateMutexA 767FD7C4 6 Bytes JMP 70CD000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!LoadLibraryA 767FDC55 6 Bytes JMP 719E000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateThread 767FDCB2 6 Bytes JMP 7115000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateFileW 767FE895 6 Bytes JMP 711E000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateFileA 767FEA51 6 Bytes JMP 711B000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!WideCharToMultiByte 767FEEEA 6 Bytes JMP 70A0000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!MultiByteToWideChar 767FEEF7 6 Bytes JMP 70C1000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!LoadLibraryW 767FEF32 6 Bytes JMP 719B000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!WriteFile 768053DE 6 Bytes JMP 70DF000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!GetVolumeInformationW 76806191 6 Bytes JMP 714B000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!OpenMutexW 76808ECD 6 Bytes JMP 70C4000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!TerminateThread 7680BBF1 6 Bytes JMP 7175000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!MoveFileExA 76813F68 6 Bytes JMP 7097000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!GetVolumeInformationA 76815CB2 6 Bytes JMP 714E000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CopyFileA 76816D4A 6 Bytes JMP 70FA000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!MoveFileW 76816EC6 6 Bytes JMP 709A000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateDirectoryA 768180D5 6 Bytes JMP 70E5000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!WriteProcessMemory 7681958F 6 Bytes JMP 71A1000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!DebugActiveProcess 7683738C 6 Bytes JMP 7172000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!MoveFileA 7683BF49 6 Bytes JMP 709D000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CopyFileExA 7683CDA1 6 Bytes JMP 70F4000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!WinExec 7683ED9E 6 Bytes JMP 717E000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!CreateRemoteThread 7683FADB 6 Bytes JMP 71AE000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!VirtualProtectEx 7683FD39 6 Bytes JMP 7163000A
.text C:\Windows\system32\notepad.exe[5188] kernel32.dll!SetThreadContext 768408B3 6 Bytes JMP 70DC000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!OpenSCManagerW 7671CA04 6 Bytes JMP 7109000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegOpenKeyA 7671CBB5 6 Bytes JMP 713C000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegCreateKeyA 7671CCA1 6 Bytes JMP 7142000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegQueryValueA 7671CDB2 5 Bytes JMP 712A000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegDeleteKeyW 767211F2 6 Bytes JMP 70A9000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegCreateKeyExA 767213E9 6 Bytes JMP 7148000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegSetValueExA 76721433 6 Bytes JMP 7130000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegSetValueExW 76721456 6 Bytes JMP 712D000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegCreateKeyW 76721494 6 Bytes JMP 713F000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegOpenKeyW 767223D9 6 Bytes JMP 7139000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!OpenSCManagerA 76722B58 6 Bytes JMP 710C000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!LookupPrivilegeValueA 76723FCA 6 Bytes JMP 70D6000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegCreateKeyExW 7672407E 6 Bytes JMP 7145000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!AdjustTokenPrivileges 7672410E 6 Bytes JMP 70D0000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!LookupPrivilegeValueW 76724133 6 Bytes JMP 70D3000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!OpenProcessToken 76724284 6 Bytes JMP 70D9000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegQueryValueW 76724434 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegQueryValueW + 4 76724438 2 Bytes [26, 71]
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegOpenKeyExW 7672460D 6 Bytes JMP 7133000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegQueryValueExW 7672462D 6 Bytes JMP 7121000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegQueryValueExA 7672486F 6 Bytes JMP 7124000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegOpenKeyExA 76724887 6 Bytes JMP 7136000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!CreateServiceW 767370C4 6 Bytes JMP 715A000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!RegDeleteKeyA 7673A84F 6 Bytes JMP 70AC000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!CreateProcessAsUserA 76752642 5 Bytes JMP 100244D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!CreateServiceA 76753264 6 Bytes JMP 715D000A
.text C:\Windows\system32\notepad.exe[5188] ADVAPI32.dll!LsaRemoveAccountRights 767589F1 6 Bytes JMP 71A7000A
.text C:\Windows\system32\notepad.exe[5188] GDI32.dll!DeleteDC 77DF6EAA 5 Bytes JMP 10028D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] GDI32.dll!GetPixel 77DFC3D5 5 Bytes JMP 10028AE0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] GDI32.dll!CreateDCA 77DFCCA9 5 Bytes JMP 10029E10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] GDI32.dll!CreateDCW 77DFCF79 5 Bytes JMP 10029D10 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!RegisterRawInputDevices 76635B52 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!RegisterRawInputDevices + 4 76635B56 2 Bytes [53, 71]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetWindowTextA 76636EED 6 Bytes JMP 7106000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetAsyncKeyState 7663A256 6 Bytes JMP 716C000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetWindowTextW 7663B8C5 6 Bytes JMP 7103000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!CreateWindowExA 7663BF40 6 Bytes JMP 70B8000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!SetWindowsHookExW 7663E30C 6 Bytes JMP 7195000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!CreateWindowExW 7663EC7C 6 Bytes JMP 70B5000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!ShowWindow 7663F2A9 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!ShowWindow + 4 7663F2AD 2 Bytes [FF, 70]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!SetWinEventHook 766424DC 6 Bytes JMP 7157000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetKeyState 76642B4D 6 Bytes JMP 716F000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!DrawTextW 76645B6A 6 Bytes JMP 70BB000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!SetWindowTextW 7664612B 6 Bytes JMP 70A3000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!DrawTextA 7665AE29 6 Bytes JMP 70BE000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!SetWindowTextA 76660C5B 6 Bytes JMP 70A6000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetKeyboardState 76666946 3 Bytes [FF, 25, 1E]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!GetKeyboardState + 4 7666694A 2 Bytes [68, 71]
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!SetWindowsHookExA 76666D0C 6 Bytes JMP 7198000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!DdeConnect 7667EB5B 6 Bytes JMP 7166000A
.text C:\Windows\system32\notepad.exe[5188] USER32.dll!EndTask 7667FD66 6 Bytes JMP 717B000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!ShellExecuteW 76E63C31 6 Bytes JMP 7187000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!Shell_NotifyIconW 76E70171 6 Bytes JMP 70EB000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!ShellExecuteExW 76E71DF6 6 Bytes JMP 7181000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!ShellExecuteEx 7709748A 6 Bytes JMP 7184000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!ShellExecuteA 77097525 6 Bytes JMP 718A000A
.text C:\Windows\system32\notepad.exe[5188] SHELL32.dll!Shell_NotifyIcon 77098F9E 6 Bytes JMP 70EE000A
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys
AttachedDevice \Driver\tdx \Device\Tcp TfNetMon.sys
Device \Driver\usbhub \Device\USBPDO-7 ctxusbm.sys
Device \Driver\usbhub \Device\00000073 ctxusbm.sys
Device \Driver\usbhub \Device\00000074 ctxusbm.sys
Device \Driver\usbhub \Device\00000075 ctxusbm.sys
Device \Driver\usbhub \Device\00000076 ctxusbm.sys
Device \Driver\usbhub \Device\00000077 ctxusbm.sys
Device \Driver\usbhub \Device\00000078 ctxusbm.sys
Device \Driver\usbhub \Device\00000079 ctxusbm.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys
---- Processes - GMER 2.1 ----
Library E:\Defogger.exe (*** hidden *** ) @ E:\Defogger.exe [4716] 0x00400000
---- EOF - GMER 2.1 ----
So, jetzt ists geschafft! Hallo Schrauber, jetzt sind alle 11 Teile des Gmer-Files gepostet , die Namen der Teile sind gmer<teilnr>_<startzeile>-<endezeile>.txt Gruß Regina |
|
| Themen zu Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht |
| anhang, autostart, beschreibung, bluescreen, code, dateien, einschalten, erfolgreich, fehlermeldung, gmer, konfiguration, laptops, scan, schließe, start, stelle, systemwiederherstellung, versuche, verweigert, virenscan, wiederherstellung, windows, windows 7, zugriff, zugriff verweigert |
Linear-Darstellung
