| |
| |||||||
Log-Analyse und Auswertung: phising mail möglw. von gmail account verschicktWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
11.05.2014, 14:28
| #1 |
 |  phising mail möglw. von gmail account verschickt von meinem gmail account wurden möglw. phishing mails versendet. ich erhielt eine "mail delivery failed" mail von google. diese landete in meinem spamordner. den text dieser mail habe ich als txt-file diesem post angehangen. ich vermute ein rootkit, habe daher mit GMER gescannt und die logfile gepostet: Anhang 66820 ------------- vielleicht könnt ihr mir ja helfen. viele grüße marcus |
|
11.05.2014, 15:15
| #2 |
| /// the machine /// TB-Ausbilder    | phising mail möglw. von gmail account verschickt Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop:  FRST 32-Bit | FRST 64-Bit(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ |
|
11.05.2014, 18:08
| #3 |
| | phising mail möglw. von gmail account verschickt sorry hatte versucht allen anweisungen und regeln folge zu leisten
__________________ grüße marcus email text: Code:
ATTFilter This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address
failed:
"xxx@googlemail.com":
SMTP error from remote server after transfer of mail text:
host: gmail-smtp-in.l.google.com
4.7.0 [82.165.159.2 15] Our system has detected an unusual rate of
4.7.0 unsolicited mail originating from your IP address. To protect our
4.7.0 users from spam, mail sent from your IP address has been temporarily
4.7.0 rate limited. Please visit hxxp://www.google.com/mail/help/bulk_mail.
4.7.0 html to review our Bulk Email Senders Guidelines. r9si35183470eew.258 - gsmtp
--- The header of the original message is following. ---
Received: from [213.165.67.120] ([213.165.67.120]) by mx-ha.web.de (mxweb104)
with ESMTP (Nemesis) id 0MMCzR-1WnvQ81uwv-0083ss for
<xxx@googlemail.com>; Thu, 01 May 2014 23:11:41 +0200
Received: from bodyactive.nl ([213.125.67.202]) by mx-ha.web.de (mxweb104)
with ESMTP (Nemesis) id 0MaYS5-1WQuO41uYr-00K4zC for <xx@web.de>; Thu,
01 May 2014 23:11:41 +0200
Received: from User ([62.140.132.199]) by bodyactive.nl with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 1 May 2014 23:09:53 +0200
Reply-To: <Sparkassse@gmail.com>
From: "Sparkasse Sicherheits Online-Banking Update"<Sparkassse@gmail.com>
Subject: Sparkasse Sicherheits Update
Date: Thu, 1 May 2014 23:09:56 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: Sparkassse@gmail.com
Message-ID: <SBSBODYACTIVE6vdGg100000055@bodyactive.nl>
X-OriginalArrivalTime: 01 May 2014 21:09:54.0163 (UTC) FILETIME=[B2C75C30:01CF6581]
gmer logfile part 1 Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-05-11 15:04:54
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350041 rev.HP64 465,76GB
Running: Gmer-19357.exe; Driver: C:\Users\Chris\AppData\Local\Temp\fgloqpod.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002ff9000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002ff902f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...]
---- User code sections - GMER 2.1 ----
.text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077291360 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077291560 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 8 bytes JMP 000000016fff0148
.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077291360 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077291560 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 8 bytes JMP 000000016fff0148
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\services.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed64750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefce950a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077026ef0 6 bytes {JMP QWORD [RIP+0x93b9140]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077028184 6 bytes {JMP QWORD [RIP+0x9497eac]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetParent 0000000077028530 6 bytes {JMP QWORD [RIP+0x93d7b00]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077029bcc 6 bytes {JMP QWORD [RIP+0x9136464]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!PostMessageA 000000007702a404 6 bytes {JMP QWORD [RIP+0x9175c2c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!EnableWindow 000000007702aaa0 6 bytes {JMP QWORD [RIP+0x94d5590]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!MoveWindow 000000007702aad0 6 bytes {JMP QWORD [RIP+0x93f5560]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007702c720 6 bytes {JMP QWORD [RIP+0x9393910]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007702cd50 6 bytes {JMP QWORD [RIP+0x94732e0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007702d2b0 6 bytes {JMP QWORD [RIP+0x91b2d80]}
Code:
ATTFilter .text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageA 000000007702d338 6 bytes {JMP QWORD [RIP+0x91f2cf8]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007702dc40 6 bytes {JMP QWORD [RIP+0x92d23f0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007702f510 6 bytes {JMP QWORD [RIP+0x94b0b20]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007702f874 6 bytes {JMP QWORD [RIP+0x90f07bc]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007702fac0 6 bytes {JMP QWORD [RIP+0x9250570]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077030b74 6 bytes {JMP QWORD [RIP+0x91cf4bc]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000770333b0 6 bytes {JMP QWORD [RIP+0x914cc80]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077034d4d 5 bytes {JMP QWORD [RIP+0x910b2e4]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!GetKeyState 0000000077035010 6 bytes {JMP QWORD [RIP+0x936b020]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077035438 6 bytes {JMP QWORD [RIP+0x928abf8]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageW 0000000077036b50 6 bytes {JMP QWORD [RIP+0x92094e0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!PostMessageW 00000000770376e4 6 bytes {JMP QWORD [RIP+0x918894c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007703dd90 6 bytes {JMP QWORD [RIP+0x93022a0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!GetClipboardData 000000007703e874 6 bytes {JMP QWORD [RIP+0x94417bc]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007703f780 6 bytes {JMP QWORD [RIP+0x94008b0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000770428e4 6 bytes {JMP QWORD [RIP+0x929d74c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!mouse_event 0000000077043894 6 bytes {JMP QWORD [RIP+0x909c79c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077048a10 6 bytes {JMP QWORD [RIP+0x9337620]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077048be0 6 bytes {JMP QWORD [RIP+0x9217450]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077048c20 6 bytes {JMP QWORD [RIP+0x90b7410]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendInput 0000000077048cd0 6 bytes {JMP QWORD [RIP+0x9317360]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!BlockInput 000000007704ad60 6 bytes {JMP QWORD [RIP+0x94152d0]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000770714e0 6 bytes {JMP QWORD [RIP+0x94aeb50]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!keybd_event 00000000770945a4 6 bytes {JMP QWORD [RIP+0x902ba8c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007709cc08 6 bytes {JMP QWORD [RIP+0x9283428]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007709df18 6 bytes {JMP QWORD [RIP+0x9202118]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\services.exe[632] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Windows\system32\lsass.exe[656] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000e150a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\lsm.exe[664] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000e150a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed64750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[808] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e150a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed64750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000eb50a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077291430 8 bytes JMP 000000016fff00d8
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 8000978b
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000ed50a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 0
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x33a450]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes JMP 0
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0x29766c]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x374648]}
.text C:\Windows\system32\atiesrxx.exe[584] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x353780]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
|
|
11.05.2014, 18:09
| #4 |
| | phising mail möglw. von gmail account verschickt gmer part 3 Code:
ATTFilter .text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[784] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x18af90]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes JMP 5f005f
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes JMP 5ab2c81
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes JMP 8de2900
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes JMP 5c55711
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes JMP 610061
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes JMP f13bbc0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes JMP 6e006e
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes JMP 5c55679
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes JMP 5b6cb48
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes JMP 5c8f868
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes JMP 2d680
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes JMP a64dce0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes JMP 8ff52a8
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes JMP 41bb481
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes JMP 4d37081
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes JMP f25480
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes JMP 5c55419
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes JMP 600068
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes JMP 600073
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes JMP 64
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes JMP 5c55711
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes JMP 2dc281
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Windows\System32\svchost.exe[1028] C:\Windows\System32\SspiCli.dll!EncryptMessage 0000000000db50a0 6 bytes {JMP QWORD [RIP+0x8af90]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1068] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ef50a0 6 bytes {JMP QWORD [RIP+0x1faf90]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed64750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes {JMP QWORD [RIP+0xaf420]}
.text C:\Windows\system32\svchost.exe[1092] c:\windows\system32\SspiCli.dll!EncryptMessage 0000000000e550a0 6 bytes JMP e2ced40
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x10af90]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 434de443
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes JMP 6f006f
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0x2b7cac]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0x29766c]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x374648]}
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Windows\system32\atieclxx.exe[1292] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024750a0 6 bytes {JMP QWORD [RIP+0x18eaf90]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x2fdd60]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes JMP 0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0x2b7cac]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0x29766c]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0x2d6cf4]}
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 6e
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Windows\System32\spoolsv.exe[1444] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000021850a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed64750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Windows\system32\svchost.exe[1528] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000e150a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
|
|
11.05.2014, 18:10
| #5 |
| | phising mail möglw. von gmail account verschickt part 4 Code:
ATTFilter .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1636] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 79000026
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1ca
.text C:\Windows\system32\taskhost.exe[1788] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000002ba50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 1
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\Dwm.exe[1904] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\user32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Windows\SysWOW64\ezSharedSvcHost.exe[1996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes JMP 3a000000
.text C:\Windows\Explorer.EXE[2044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes JMP 3a000000
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x12cdd60]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x12edb78]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x130a450]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0x1157cac]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0x113766c]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0x12a6cf4]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x1344648]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x1323780]}
.text C:\Windows\Explorer.EXE[2044] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefce950a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 194640
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 173780
.text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000f450a0 6 bytes JMP 0
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 09]
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0D]
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe[1652] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x12cdd60]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x12edb78]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x130a450]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0x1157cac]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0x113766c]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0x12a6cf4]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x1344648]}
.text c:\Program Files\Intel\iCLS Client\HeciServer.exe[1344] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x1323780]}
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
|
|
11.05.2014, 18:10
| #6 |
| | phising mail möglw. von gmail account verschickt part 5 Code:
ATTFilter .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe[2092] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[2216] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x17af90]}
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 25]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes JMP 65747379
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP d
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP b09a2dec
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 1
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2716] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000013050a0 6 bytes {JMP QWORD [RIP+0x21af90]}
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe[2828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe[2848] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
|
|
11.05.2014, 18:13
| #7 |
| | phising mail möglw. von gmail account verschicktCode:
ATTFilter .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2892] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Browny02\BrYNSvc.exe[2532] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[2528] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000ef50a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70df000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70df000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7100000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7100000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 714e000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 7109000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 7148000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7142000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 710f000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 710f000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 7154000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 7127000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 711e000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 711e000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 7106000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 711b000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 711b000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7151000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 714b000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 710c000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 7136000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 713c000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 7145000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 7118000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 7118000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7133000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7130000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 7124000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 712a000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 712a000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 712d000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 712d000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7112000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7103000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 713f000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 7139000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 7115000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 7115000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7121000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7121000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\SearchIndexer.exe[3340] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefd79a6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefd7c0c10 6 bytes JMP 1f501f40
.text C:\Windows\System32\svchost.exe[3832] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe[3960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ...
|
|
11.05.2014, 18:13
| #8 |
| | phising mail möglw. von gmail account verschickt part6 Code:
ATTFilter .text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes JMP 0
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes JMP 0
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes JMP 0
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes JMP aab
.text C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe[3968] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 79000026
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\DllHost.exe[4880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[4808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 750059
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70dd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70dd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70da000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70da000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70e6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70e6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 70fe000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 70fe000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 70fb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 70fb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70ce000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70ce000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7101000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 5 0000000077440555 1 byte [71]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70ef000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70ef000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70d7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70d7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70ec000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70ec000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70e9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70e9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70f8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70f8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70f5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70f5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 717c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 717f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 7179000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7170000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 7176000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7182000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 7185000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7173000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 715b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 714f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 7149000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7143000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7161000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7110000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7110000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 7155000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 7128000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 711f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 711f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 7107000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 711c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 711c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 7158000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7152000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 715e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 714c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 710d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7164000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 7137000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 713d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 7146000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 7167000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 7119000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 7119000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7134000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7131000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 7125000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 712b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 712b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 712e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 712e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7113000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7104000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 716d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7140000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 7116000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 7116000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7122000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7122000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ...
|
|
11.05.2014, 18:14
| #9 |
| | phising mail möglw. von gmail account verschickt part 7 Code:
ATTFilter .text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 79000026
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\taskhost.exe[1276] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000021850a0 6 bytes {JMP QWORD [RIP+0x1caf90]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000771298e0 6 bytes {JMP QWORD [RIP+0x8f76750]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077140650 6 bytes {JMP QWORD [RIP+0x8f1f9e0]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000771bacf0 6 bytes {JMP QWORD [RIP+0x8ec5340]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes CALL 6f000000
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 2A]
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes {JMP QWORD [RIP+0x13db78]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes {JMP QWORD [RIP+0xf6cf4]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes JMP 0
.text C:\Program Files\CCleaner\CCleaner64.exe[3984] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000002df50a0 6 bytes {JMP QWORD [RIP+0x12faf90]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077263b10 6 bytes {JMP QWORD [RIP+0x8ddc520]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000772913a0 6 bytes {JMP QWORD [RIP+0x8d8ec90]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077291570 6 bytes {JMP QWORD [RIP+0x934eac0]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772915e0 6 bytes {JMP QWORD [RIP+0x942ea50]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077291620 6 bytes {JMP QWORD [RIP+0x93eea10]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000772916c0 6 bytes {JMP QWORD [RIP+0x944e970]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077291750 6 bytes {JMP QWORD [RIP+0x93ce8e0]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077291790 6 bytes {JMP QWORD [RIP+0x92ce8a0]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772917e0 6 bytes {JMP QWORD [RIP+0x92ee850]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077291800 6 bytes {JMP QWORD [RIP+0x940e830]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000772919f0 6 bytes {JMP QWORD [RIP+0x94ce640]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077291b00 6 bytes {JMP QWORD [RIP+0x92ae530]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077291bd0 6 bytes {JMP QWORD [RIP+0x936e460]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077291d20 6 bytes {JMP QWORD [RIP+0x946e310]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077291d30 6 bytes {JMP QWORD [RIP+0x94ae300]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000772920a0 6 bytes {JMP QWORD [RIP+0x938df90]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077292130 6 bytes {JMP QWORD [RIP+0x948df00]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772929a0 6 bytes {JMP QWORD [RIP+0x93ad690]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077292a20 6 bytes {JMP QWORD [RIP+0x930d610]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077292aa0 6 bytes {JMP QWORD [RIP+0x932d590]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd0b9055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd0c53c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefdbb22d0 6 bytes {JMP QWORD [RIP+0x11dd60]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!BitBlt 000007fefdbb24b8 6 bytes JMP 350031
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!MaskBlt 000007fefdbb5be0 6 bytes {JMP QWORD [RIP+0x15a450]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefdbb8384 6 bytes {JMP QWORD [RIP+0xd7cac]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefdbb89c4 6 bytes {JMP QWORD [RIP+0xb766c]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!GetPixel 000007fefdbb933c 6 bytes JMP 0
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!StretchBlt 000007fefdbbb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\AUDIODG.EXE[4608] C:\Windows\System32\GDI32.dll!PlgBlt 000007fefdbbc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtClose 000000007743f9e0 3 bytes JMP 71af000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 000000007743f9e4 2 bytes JMP 71af000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007743fcb0 3 bytes JMP 70f7000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 000000007743fcb4 2 bytes JMP 70f7000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 000000007743fd64 3 bytes JMP 70e2000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 000000007743fd68 2 bytes JMP 70e2000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 000000007743fdc8 3 bytes JMP 70e8000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 000000007743fdcc 2 bytes JMP 70e8000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 000000007743fec0 3 bytes JMP 70df000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 000000007743fec4 2 bytes JMP 70df000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007743ffa4 3 bytes JMP 70eb000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 000000007743ffa8 2 bytes JMP 70eb000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077440004 3 bytes JMP 7103000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077440008 2 bytes JMP 7103000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077440084 3 bytes JMP 7100000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077440088 2 bytes JMP 7100000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000774400b4 3 bytes JMP 70e5000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 00000000774400b8 2 bytes JMP 70e5000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 00000000774403b8 3 bytes JMP 70d3000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 00000000774403bc 2 bytes JMP 70d3000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077440550 3 bytes JMP 7106000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077440554 2 bytes JMP 7106000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077440694 3 bytes JMP 70f4000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077440698 2 bytes JMP 70f4000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007744088c 3 bytes JMP 70dc000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077440890 2 bytes JMP 70dc000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 00000000774408a4 3 bytes JMP 70d6000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 00000000774408a8 2 bytes JMP 70d6000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077440df4 3 bytes JMP 70f1000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077440df8 2 bytes JMP 70f1000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077440ed8 3 bytes JMP 70d9000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077440edc 2 bytes JMP 70d9000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077441be4 3 bytes JMP 70ee000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077441be8 2 bytes JMP 70ee000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077441cb4 3 bytes JMP 70fd000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077441cb8 2 bytes JMP 70fd000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077441d8c 3 bytes JMP 70fa000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077441d90 2 bytes JMP 70fa000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077461287 6 bytes JMP 71a8000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076f2103d 6 bytes JMP 719c000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076f21072 6 bytes JMP 7199000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f4c9b5 6 bytes JMP 7190000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000076ecf776 6 bytes JMP 719f000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000076ed2c91 4 bytes CALL 71ac0000
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000076838332 6 bytes JMP 7160000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000076838bff 6 bytes JMP 7154000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 00000000768390d3 6 bytes JMP 710f000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000076839679 6 bytes JMP 714e000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 00000000768397d2 6 bytes JMP 7148000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007683ee09 6 bytes JMP 7166000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterHotKey 000000007683efc9 3 bytes JMP 7115000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 000000007683efcd 2 bytes JMP 7115000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000768412a5 6 bytes JMP 715a000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyState 000000007684291f 6 bytes JMP 712d000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetParent 0000000076842d64 3 bytes JMP 7124000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000076842d68 2 bytes JMP 7124000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076842da4 6 bytes JMP 710c000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000076843698 3 bytes JMP 7121000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 000000007684369c 2 bytes JMP 7121000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000076843baa 6 bytes JMP 715d000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000076843c61 6 bytes JMP 7157000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000076846110 6 bytes JMP 7163000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageA 000000007684612e 6 bytes JMP 7151000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000076846c30 6 bytes JMP 7112000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076847603 6 bytes JMP 7169000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000076847668 6 bytes JMP 713c000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 00000000768476e0 6 bytes JMP 7142000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 000000007684781f 6 bytes JMP 714b000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007684835c 6 bytes JMP 716c000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007684c4b6 3 bytes JMP 711e000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 000000007684c4ba 2 bytes JMP 711e000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 000000007685c112 6 bytes JMP 7139000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 000000007685d0f5 6 bytes JMP 7136000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007685eb96 6 bytes JMP 712a000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyboardState 000000007685ec68 3 bytes JMP 7130000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 000000007685ec6c 2 bytes JMP 7130000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendInput 000000007685ff4a 3 bytes JMP 7133000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendInput + 4 000000007685ff4e 2 bytes JMP 7133000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000076879f1d 6 bytes JMP 7118000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000076881497 6 bytes JMP 7109000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!mouse_event 000000007689027b 6 bytes JMP 716f000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!keybd_event 00000000768902bf 6 bytes JMP 7172000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000076896cfc 6 bytes JMP 7145000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000076896d5d 6 bytes JMP 713f000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!BlockInput 0000000076897dd7 3 bytes JMP 711b000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000076897ddb 2 bytes JMP 711b000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 00000000768988eb 3 bytes JMP 7127000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 00000000768988ef 2 bytes JMP 7127000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763858b3 6 bytes JMP 7184000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000076385ea6 6 bytes JMP 717e000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076387bcc 6 bytes JMP 718d000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007638b895 6 bytes JMP 7175000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007638c332 6 bytes JMP 717b000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007638cbfb 6 bytes JMP 7187000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007638e743 6 bytes JMP 718a000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000763b480f 6 bytes JMP 7178000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076af2642 6 bytes JMP 7196000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 0000000076af5429 6 bytes JMP 7193000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074e7124e 6 bytes JMP 7181000a
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076361465 2 bytes [36, 76]
.text C:\Users\Chris\Downloads\Gmer-19357.exe[4528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763614bb 2 bytes [36, 76]
.text ... * 2
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ...
---- EOF - GMER 2.1 ----
|
|
12.05.2014, 13:54
| #10 |
| /// the machine /// TB-Ausbilder | phising mail möglw. von gmail account verschickt Passwort zum Account geändert? Bitte lade dir die passende Version von Farbar's Recovery Scan Tool auf deinen Desktop: FRST 32-Bit | FRST 64-Bit(Wenn du nicht sicher bist: Lade beide Versionen oder unter Start > Computer (Rechtsklick) > Eigenschaften nachschauen)
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
12.05.2014, 14:02
| #11 |
| | phising mail möglw. von gmail account verschickt ja wurde vor ca. 14 bereits geändert soll heute aber erneut geändert werden. grüße |
|
13.05.2014, 11:34
| #12 |
| /// the machine /// TB-Ausbilder | phising mail möglw. von gmail account verschickt Dann bitte noch FRST.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
13.05.2014, 12:37
| #13 |
| | phising mail möglw. von gmail account verschickt ach so stimmt das auch noch  dankeschön werd ich machen addition von FRST Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-05-2014 01
Ran by Chris at 2014-05-13 13:19:49
Running from C:\Users\Chris\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
==================== Installed Programs ======================
Update for Microsoft Office 2007 (KB2508958) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}) (Version: - Microsoft)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.8 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 2.6.0.19120 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 11 ActiveX (x64) (HKLM\...\{A10EE46B-C2E8-4FAB-A8F8-3E80D0662BA9}) (Version: 11.0.1.152 - Adobe Systems Incorporated)
AMD APP SDK Runtime (Version: 2.5.732.1 - Advanced Micro Devices Inc.) Hidden
AMD Catalyst Install Manager (HKLM\...\{D2A53F8D-3924-E600-6023-883B255E3812}) (Version: 3.0.842.0 - Advanced Micro Devices, Inc.)
Brother MFL-Pro Suite DCP-7055 (HKLM-x32\...\{3ACCCFB3-7B17-4E9F-ACB0-46868FCD4487}) (Version: 1.0.7.0 - Brother Industries, Ltd.)
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center (x32 Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (x32 Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Profiles Desktop (x32 Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Standard (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Traditional (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Czech (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Danish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Dutch (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Finnish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help French (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help German (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Greek (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Hungarian (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Italian (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Japanese (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Korean (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Norwegian (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Polish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Portuguese (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Russian (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Spanish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Swedish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Thai (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
CCC Help Turkish (x32 Version: 2011.1024.0116.375 - Advanced Micro Devices, Inc.) Hidden
ccc-utility64 (Version: 2011.1024.117.375 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.19 - Piriform)
COMODO Internet Security (HKLM\...\{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}) (Version: 5.10.31649.2253 - COMODO Security Solutions Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Driver Booster (HKLM-x32\...\Driver Booster_is1) (Version: 1.3 - IObit)
Google Chrome (HKCU\...\Google Chrome) (Version: 34.0.1847.131 - Google Inc.)
Hewlett-Packard ACLM.NET v1.1.2.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden
HP Client Services (Version: 1.1.12938.3539 - Hewlett-Packard) Hidden
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden
HP RSS (HKLM-x32\...\{A35E58D6-2A0F-4051-983B-79342081338E}) (Version: 5.1.4301.21494 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1}) (Version: 9.0.15130.3904 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.2.15145.3905 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 11.00.0001 - Hewlett-Packard)
HP TouchSmart RecipeBox (HKLM-x32\...\{20714B53-FC73-4F9C-9687-49EB237D6FD7}) (Version: 3.0.3830.27730 - Hewlett-Packard)
HP Update (HKLM-x32\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}) (Version: 5.003.001.001 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.12.1.0 - Hewlett-Packard)
HydraVision (x32 Version: 4.2.212.0 - Advanced Micro Devices, Inc.) Hidden
Intel(R) Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
Malwarebytes Anti-Malware Version 2.0.1.1004 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Mathematics (HKLM-x32\...\{4D090F70-6F08-4B60-9357-A1DFD4458F09}) (Version: 4.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0100-0407-0000-0000000FF1CE}_OMUI.de-de_{DB2ACBD1-65B1-4FC5-881E-4E75C668E7E2}) (Version: - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Groove MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Language Pack 2007 - German/Deutsch (HKLM-x32\...\OMUI.de-de) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office O MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Italian) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing (German) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (German) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office SharePoint Designer MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office X MUI (German) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM-x32\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM-x32\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6463 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4424 - CyberLink Corp.) Hidden
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.27614 - TeamViewer)
TeraCopy 2.27 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
TSHostedAppLauncher (x32 Version: 5.1.15.0 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{90120000-0100-0407-0000-0000000FF1CE}_OMUI.de-de_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6FAA03BD-2B51-4029-9AD9-64A3B8E3C84C}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version: - Microsoft)
Update for Microsoft Office Access 2007 Help (KB963663) (HKLM-x32\...\{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version: - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft)
Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM-x32\...\{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version: - Microsoft)
Update for Microsoft Office OneNote 2007 Help (KB963670) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2744EF05-38E1-4D5D-B333-E021EDAEA245}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_OMUI.de-de_{EA54F104-79D2-48CC-9ABC-91A63C43D353}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2878297) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{9B1DEEA3-B4ED-49F0-9EF7-4A820EEEA7F1}) (Version: - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft)
Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM-x32\...\{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version: - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_OMUI.de-de_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version: - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_OMUI.de-de_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version: - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_OMUI.de-de_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version: - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_OMUI.de-de_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version: - Microsoft)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Mesh ActiveX control for remote connections (HKLM-x32\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
WinRAR (HKLM\...\WinRAR archiver) (Version: - )
==================== Restore Points =========================
Could not list Restore Points. Check "winmgmt" service or repair WMI.
==================== Hosts content: ==========================
2009-07-14 04:34 - 2012-06-24 14:32 - 00000854 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 activate.adobe.com
==================== Scheduled Tasks (whitelisted) =============
Task: {078E6E11-7719-44AE-BFF4-6D7B7256A8AC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000Core => C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-24] (Google Inc.)
Task: {198B137C-5520-40C7-94D9-F6A153E88A37} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe
Task: {1F8251FC-EFD0-489D-808F-6A861B5DF308} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Opt-in For HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF_Utils.exe
Task: {296DC906-DB50-46C2-B889-C5FEE0D22698} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000UA => C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-24] (Google Inc.)
Task: {3062B893-51AE-4636-A5B5-7BC1AD9A540F} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-04-16] (COMODO)
Task: {579C7389-E742-4B8C-AF14-C7F02B3FDD42} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: {5EC5BA3D-AEDF-4AFD-B43A-990B20A2D5DB} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-04-16] (COMODO)
Task: {69B87972-88B7-4EE3-AC38-4C6D12F021A3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2011-06-14] (Hewlett-Packard)
Task: {7B3CB651-925A-4F5B-A290-C20CC3F32B36} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Total Care Tune-Up => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPTuneUp.exe
Task: {84192792-3299-4576-9DAD-E3A6230A8F44} - System32\Tasks\Driver Booster SkipUAC (Chris) => C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe [2014-03-07] (IObit)
Task: {87D99385-AD21-4E1F-A691-C376497E7750} - System32\Tasks\Driver Booster Update => C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe [2014-03-07] (IObit)
Task: {B57EF6D6-E796-4B90-8C0D-34E7F6BC4C4E} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-04-16] (COMODO)
Task: {B98AFE82-4A3D-4327-9529-105FCCD8DDE9} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-04-16] (COMODO)
Task: {F6C6954B-1F1E-4525-B2C3-64843A9E153D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000Core.job => C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000UA.job => C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe
==================== Loaded Modules (whitelisted) =============
2011-10-24 10:16 - 2011-10-24 10:16 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2011-04-12 01:20 - 2011-04-12 01:20 - 00098304 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2011-04-12 01:20 - 2011-04-12 01:20 - 00028672 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\BrandingResources.dll
==================== Alternate Data Streams (whitelisted) =========
==================== Safe Mode (whitelisted) ===================
==================== EXE Association (whitelisted) =============
==================== Disabled items from MSCONFIG ==============
MSCONFIG\startupreg: HP Software Update => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: hpsysdrv => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
MSCONFIG\startupreg: IndexSearch => "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
MSCONFIG\startupreg: ISUSPM => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
MSCONFIG\startupreg: PaperPort PTD => "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
==================== Faulty Device Manager Devices =============
Could not list Devices. Check "winmgmt" service or repair WMI.
==================== Event log errors: =========================
Application errors:
==================
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 7010)
Description: Der Index kann nicht initialisiert werden.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 3058)
Description: Die Anwendung kann nicht initialisiert werden.
Kontext: Windows Anwendung
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 3028)
Description: Das Gatherer-Objekt kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 3029)
Description: Plug-In in <Search.TripoliIndexer> kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Element nicht gefunden. (HRESULT : 0x80070490) (0x80070490)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 3029)
Description: Plug-In in <Search.JetPropStore> kann nicht initialisiert werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 9002)
Description: Die Eigenschaftenspeicherdaten können von Windows Search nicht geladen werden.
Kontext: Windows Anwendung, SystemIndex Katalog
Details:
Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800) (0xc0041800)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 7042)
Description: Windows Search wird aufgrund eines Problems bei der Indizierung The catalog is corrupt beendet.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 7040)
Description: Vom Suchdienst wurden beschädigte Datendateien im Index {id=4700} erkannt. Vom Dienst wird versucht, dieses Problem durch Neuerstellung des Indexes automatisch zu beheben.
Details:
Der Inhaltsindexkatalog ist fehlerhaft. (HRESULT : 0xc0041801) (0xc0041801)
Error: (05/11/2014 05:26:59 PM) (Source: Windows Search Service) (User: ) (EventID: 9000)
Description: Der Jet-Eigenschaftenspeicher kann von Windows Search nicht geöffnet werden.
Details:
0x%08x (0xc0041800 - Die Inhaltsindexdatenbank ist fehlerhaft. (HRESULT : 0xc0041800))
Error: (05/11/2014 05:26:58 PM) (Source: ESENT) (User: ) (EventID: 455)
Description: Windows (2548) Windows: Fehler -1811 beim Öffnen von Protokolldatei C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00060.log.
System errors:
=============
Error: (05/11/2014 05:26:59 PM) (Source: Service Control Manager) (User: ) (EventID: 7031)
Description: Der Dienst "Windows Search" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 30000 Millisekunden durchgeführt: Neustart des Diensts.
Error: (05/11/2014 05:26:59 PM) (Source: Service Control Manager) (User: ) (EventID: 7024)
Description: Der Dienst "Windows Search" wurde mit folgendem dienstspezifischem Fehler beendet: %%-1073473535.
Error: (05/11/2014 05:26:45 PM) (Source: Service Control Manager) (User: ) (EventID: 7000)
Description: Der Dienst "TeamViewer 9" wurde aufgrund folgenden Fehlers nicht gestartet:
%%1053
Error: (05/11/2014 05:26:45 PM) (Source: Service Control Manager) (User: ) (EventID: 7009)
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst TeamViewer 9 erreicht.
Error: (05/11/2014 05:26:07 PM) (Source: BugCheck) (User: ) (EventID: 1001)
Description: 0x0000009f (0x0000000000000004, 0x0000000000000258, 0xfffffa8003cc7660, 0xfffff80000b9c3d0)C:\Windows\Minidump\051114-20872-01.dmp051114-20872-01
Error: (04/28/2014 06:18:57 PM) (Source: WMPNetworkSvc) (User: ) (EventID: 14332)
Description: WMPNetworkSvc0x80004005
Error: (04/09/2014 05:39:35 PM) (Source: Microsoft-Windows-LanguagePackSetup) (User: NT-AUTORITÄT) (EventID: 1000)
Description: Fehler bei der CBS-Clientinitialisierung. Letzter Fehler: 0x8007045b
Error: (03/09/2014 04:03:24 PM) (Source: Service Control Manager) (User: ) (EventID: 7023)
Description: Der Dienst "Funktionssuche-Ressourcenveröffentlichung" wurde mit folgendem Fehler beendet:
%%-2147014847
Error: (02/04/2014 11:56:48 AM) (Source: Disk) (User: ) (EventID: 11)
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR2 gefunden.
Error: (02/04/2014 11:56:47 AM) (Source: Disk) (User: ) (EventID: 11)
Description: Der Treiber hat einen Controllerfehler auf \Device\Harddisk2\DR2 gefunden.
Microsoft Office Sessions:
=========================
==================== Memory info ===========================
Percentage of memory in use: 43%
Total physical RAM: 4076.83 MB
Available physical RAM: 2295.6 MB
Total Pagefile: 8151.84 MB
Available Pagefile: 5827.3 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:448.19 GB) (Free:390.97 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:17.47 GB) (Free:2.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 623F58B3)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=448 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=17 GB) - (Type=07 NTFS)
==================== End Of Log ============================
FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-05-2014 01
Ran by Chris (administrator) on CHRIS-PC on 13-05-2014 13:19:30
Running from C:\Users\Chris\Downloads
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-10-24] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139264 2011-04-20] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-3894639216-1814265187-922892143-1000\...\Run: [Google Update] => C:\Users\Chris\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-06-24] (Google Inc.)
HKU\S-1-5-21-3894639216-1814265187-922892143-1000\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-3894639216-1814265187-922892143-1000\...\Policies\system: [DisableChangePassword] 0
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com?fr=fp-comodo
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPDSK/4
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM - {BDC4F4A0-CAD8-417B-A7BA-286281C6314E} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de1-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-111076-19270-2/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 - {BDC4F4A0-CAD8-417B-A7BA-286281C6314E} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de1-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-111076-19270-2/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms}
SearchScopes: HKCU - DefaultScope {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://eu.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKCU - {BDC4F4A0-CAD8-417B-A7BA-286281C6314E} URL = hxxp://www.amazon.de/s/ref=azs_osd_ieade?ie=UTF-8&tag=hp-de1-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://de.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/707-111076-19270-2/4?mpre=hxxp://www.ebay.de/sch/i.html?_nkw={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: 127.0.0.1 activate.adobe.com
Tcpip\Parameters: [DhcpNameServer] 192.168.178.1
Tcpip\..\Interfaces\{AC6272FF-9E8F-45BB-B90C-FF179E2A4FE9}: [NameServer]156.154.70.22,156.154.71.22
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Chris\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Chris\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-06-24]
Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR StartupUrls: "https://www.google.de/"
CHR Plugin: (Shockwave Flash) - C:\Users\Chris\AppData\Local\Google\Chrome\Application\21.0.1180.79\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Chris\AppData\Local\Google\Chrome\Application\34.0.1847.131\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Chris\AppData\Local\Google\Chrome\Application\34.0.1847.131\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Chris\AppData\Local\Google\Chrome\Application\34.0.1847.131\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Google Update) - C:\Users\Chris\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Extension: (YouTube) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-06-24]
CHR Extension: (Google-Suche) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-06-24]
CHR Extension: (Google Wallet) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Google Mail) - C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-06-24]
CHR HKCU\...\Chrome\Extension: [nikpibnbobmbdbheedjfogjlikpgpnhp] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\DVDVideoSoftBrowserExtension.crx [2012-06-24]
CHR StartMenuInternet: Google Chrome - C:\Users\Chris\AppData\Local\Google\Chrome\Application\chrome.exe
==================== Services (Whitelisted) =================
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6817544 2014-04-16] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128280 2011-12-16] ()
==================== Drivers (Whitelisted) ====================
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-04-16] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-04-16] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-04-16] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-04-16] (COMODO)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2014-04-20] (Intel Corporation)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2012-03-28] ()
==================== NetSvcs (Whitelisted) ===================
==================== One Month Created Files and Folders ========
2014-05-13 13:19 - 2014-05-13 13:19 - 02066944 _____ (Farbar) C:\Users\Chris\Downloads\Nicht bestätigt 352134.crdownload
2014-05-13 13:15 - 2014-05-13 13:19 - 00012326 _____ () C:\Users\Chris\Downloads\FRST.txt
2014-05-13 13:15 - 2014-05-13 13:15 - 00000000 ____D () C:\FRST
2014-05-13 13:14 - 2014-05-13 13:15 - 02066944 _____ (Farbar) C:\Users\Chris\Downloads\FRST64.exe
2014-05-11 17:28 - 2014-05-11 17:28 - 00109688 _____ () C:\Users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2014-05-11 17:26 - 2014-05-13 12:37 - 00000224 _____ () C:\Windows\setupact.log
2014-05-11 17:26 - 2014-05-11 17:26 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-11 17:25 - 2014-05-11 17:26 - 00421440 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-05-11 15:28 - 2014-05-11 15:28 - 00001911 _____ () C:\Users\Chris\Downloads\mail-delivery.txt.txt
2014-05-11 15:21 - 2014-05-11 15:21 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 15:05 - 2014-05-11 15:05 - 00554008 _____ () C:\Users\Chris\Desktop\gmer.txt
2014-05-11 15:03 - 2014-05-11 15:03 - 00001064 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-05-11 15:03 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-11 15:03 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-11 15:03 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-11 15:01 - 2014-05-11 15:02 - 00001911 _____ () C:\Users\Chris\Desktop\mail-delivery.txt.txt
2014-05-11 14:56 - 2014-05-11 14:56 - 00283144 _____ (Mozilla) C:\Users\Chris\Downloads\Firefox Setup Stub 29.0.1.exe
2014-05-11 14:52 - 2014-05-11 14:53 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Chris\Downloads\mbam-setup-2.0.1.1004 (1).exe
2014-05-11 14:35 - 2014-05-11 14:35 - 00380416 _____ () C:\Users\Chris\Downloads\Gmer-19357.exe
2014-05-07 14:06 - 2014-05-07 14:07 - 06103040 _____ () C:\Program Files (x86)\GUTBE8F.tmp
2014-05-07 14:06 - 2014-05-07 14:06 - 00000000 ____D () C:\Program Files (x86)\GUMBE6F.tmp
2014-05-06 15:02 - 2014-05-06 15:02 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-06 12:49 - 2014-04-14 04:24 - 00465408 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-06 12:49 - 2014-04-14 04:19 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-03 15:25 - 2014-04-29 16:01 - 23547904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-03 15:25 - 2014-04-29 15:40 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-03 15:25 - 2014-04-29 14:48 - 17384448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-03 15:25 - 2014-04-29 14:34 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-23 13:49 - 2014-04-23 13:55 - 125481720 _____ () C:\Users\Chris\Downloads\Morgenstern_01_mp3.zip
2014-04-20 18:07 - 2014-04-20 18:07 - 00100312 _____ (Intel Corporation) C:\Windows\system32\Drivers\TeeDriverx64.sys
2014-04-20 18:03 - 2014-04-20 18:03 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Comodo
2014-04-20 18:02 - 2014-04-20 18:05 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-20 18:02 - 2014-04-20 18:02 - 00000000 ____D () C:\ProgramData\Shared Space
2014-04-20 18:02 - 2014-04-20 18:02 - 00000000 ____D () C:\ProgramData\Comodo Downloader
2014-04-20 18:02 - 2014-03-25 21:22 - 00352984 _____ (COMODO) C:\Windows\system32\cmdvrt64.dll
2014-04-20 18:02 - 2014-03-25 21:22 - 00284888 _____ (COMODO) C:\Windows\SysWOW64\cmdvrt32.dll
2014-04-20 18:02 - 2014-03-25 21:22 - 00045784 _____ (COMODO) C:\Windows\system32\cmdkbd64.dll
2014-04-20 18:02 - 2014-03-25 21:22 - 00040664 _____ (COMODO) C:\Windows\SysWOW64\cmdkbd32.dll
2014-04-20 17:56 - 2014-04-20 17:56 - 01795952 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01011.dll
2014-04-20 17:56 - 2014-04-20 17:56 - 00901848 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2014-04-20 17:56 - 2014-04-20 17:56 - 00073800 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2014-04-20 17:56 - 2014-04-20 17:56 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_TeeDriverx64_01011.Wdf
2014-04-20 17:52 - 2014-03-06 11:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-20 17:52 - 2014-03-06 10:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-20 17:52 - 2014-03-06 10:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-20 17:52 - 2014-03-06 10:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-20 17:52 - 2014-03-06 10:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-20 17:52 - 2014-03-06 10:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-20 17:52 - 2014-03-06 10:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-20 17:52 - 2014-03-06 10:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-20 17:52 - 2014-03-06 10:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-20 17:52 - 2014-03-06 10:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-20 17:52 - 2014-03-06 10:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-20 17:52 - 2014-03-06 10:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-20 17:52 - 2014-03-06 10:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-20 17:52 - 2014-03-06 10:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-20 17:52 - 2014-03-06 10:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-20 17:52 - 2014-03-06 10:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-20 17:52 - 2014-03-06 10:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-20 17:52 - 2014-03-06 10:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-20 17:52 - 2014-03-06 09:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-20 17:52 - 2014-03-06 09:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-20 17:52 - 2014-03-06 09:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-20 17:52 - 2014-03-06 09:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-20 17:52 - 2014-03-06 09:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-20 17:52 - 2014-03-06 09:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-20 17:52 - 2014-03-06 09:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-20 17:52 - 2014-03-06 09:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-20 17:52 - 2014-03-06 09:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-20 17:52 - 2014-03-06 09:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-20 17:52 - 2014-03-06 09:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-20 17:52 - 2014-03-06 09:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-20 17:52 - 2014-03-06 09:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-20 17:52 - 2014-03-06 09:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-20 17:52 - 2014-03-06 09:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-20 17:52 - 2014-03-06 09:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-20 17:52 - 2014-03-06 08:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-20 17:52 - 2014-03-06 08:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-20 17:52 - 2014-03-06 08:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-20 17:52 - 2014-03-06 08:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-20 17:52 - 2014-03-06 08:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-20 17:52 - 2014-03-06 07:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-20 17:52 - 2014-03-06 07:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-20 17:52 - 2014-03-06 07:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-20 17:52 - 2014-03-06 07:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-20 17:52 - 2014-03-06 07:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-20 17:45 - 2014-04-20 17:45 - 00003158 _____ () C:\Windows\System32\Tasks\Driver Booster Update
2014-04-20 17:45 - 2014-04-20 17:45 - 00002856 _____ () C:\Windows\System32\Tasks\Driver Booster SkipUAC (Chris)
2014-04-20 17:45 - 2014-04-20 17:45 - 00001132 _____ () C:\Users\Public\Desktop\Driver Booster.lnk
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\IObit
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Booster
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\ProgramData\IObit
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-04-20 17:43 - 2014-04-20 17:44 - 21297216 _____ (IObit ) C:\Users\Chris\Downloads\driver_booster_setup_1.3.exe
==================== One Month Modified Files and Folders =======
2014-05-13 13:19 - 2014-05-13 13:19 - 02066944 _____ (Farbar) C:\Users\Chris\Downloads\Nicht bestätigt 352134.crdownload
2014-05-13 13:19 - 2014-05-13 13:15 - 00012326 _____ () C:\Users\Chris\Downloads\FRST.txt
2014-05-13 13:17 - 2012-06-24 14:02 - 01467537 _____ () C:\Windows\system32\Drivers\sfi.dat
2014-05-13 13:15 - 2014-05-13 13:15 - 00000000 ____D () C:\FRST
2014-05-13 13:15 - 2014-05-13 13:14 - 02066944 _____ (Farbar) C:\Users\Chris\Downloads\FRST64.exe
2014-05-13 13:11 - 2012-06-24 14:06 - 00001120 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000UA.job
2014-05-13 12:54 - 2012-06-24 13:48 - 00551702 _____ () C:\Windows\WindowsUpdate.log
2014-05-13 12:45 - 2009-07-14 06:45 - 00024400 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-13 12:45 - 2009-07-14 06:45 - 00024400 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-13 12:37 - 2014-05-11 17:26 - 00000224 _____ () C:\Windows\setupact.log
2014-05-13 12:37 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-12 14:11 - 2012-06-24 14:06 - 00001068 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000Core.job
2014-05-12 13:41 - 2012-06-24 13:51 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{E16436B6-3783-4D07-A03D-D9BFFF3CDE05}
2014-05-11 17:28 - 2014-05-11 17:28 - 00109688 _____ () C:\Users\Chris\AppData\Local\GDIPFONTCACHEV1.DAT
2014-05-11 17:26 - 2014-05-11 17:26 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-11 17:26 - 2014-05-11 17:25 - 00421440 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-05-11 17:26 - 2012-10-07 17:18 - 00000000 ____D () C:\Windows\Minidump
2014-05-11 17:25 - 2012-03-28 18:50 - 00285981 ____N () C:\Windows\Minidump\051114-20872-01.dmp
2014-05-11 15:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\rescache
2014-05-11 15:28 - 2014-05-11 15:28 - 00001911 _____ () C:\Users\Chris\Downloads\mail-delivery.txt.txt
2014-05-11 15:21 - 2014-05-11 15:21 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 15:21 - 2012-06-24 14:17 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\HpUpdate
2014-05-11 15:05 - 2014-05-11 15:05 - 00554008 _____ () C:\Users\Chris\Desktop\gmer.txt
2014-05-11 15:03 - 2014-05-11 15:03 - 00001064 _____ () C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ Malwarebytes Anti-Malware
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 15:03 - 2014-05-11 15:03 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2014-05-11 15:02 - 2014-05-11 15:01 - 00001911 _____ () C:\Users\Chris\Desktop\mail-delivery.txt.txt
2014-05-11 14:56 - 2014-05-11 14:56 - 00283144 _____ (Mozilla) C:\Users\Chris\Downloads\Firefox Setup Stub 29.0.1.exe
2014-05-11 14:53 - 2014-05-11 14:52 - 17305616 _____ (Malwarebytes Corporation ) C:\Users\Chris\Downloads\mbam-setup-2.0.1.1004 (1).exe
2014-05-11 14:35 - 2014-05-11 14:35 - 00380416 _____ () C:\Users\Chris\Downloads\Gmer-19357.exe
2014-05-07 14:07 - 2014-05-07 14:06 - 06103040 _____ () C:\Program Files (x86)\GUTBE8F.tmp
2014-05-07 14:06 - 2014-05-07 14:06 - 00000000 ____D () C:\Program Files (x86)\GUMBE6F.tmp
2014-05-07 14:06 - 2012-06-24 14:06 - 00004094 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000UA
2014-05-07 14:06 - 2012-06-24 14:06 - 00003698 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3894639216-1814265187-922892143-1000Core
2014-05-06 15:02 - 2014-05-06 15:02 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-04-29 16:01 - 2014-05-03 15:25 - 23547904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-04-29 15:40 - 2014-05-03 15:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-04-29 14:48 - 2014-05-03 15:25 - 17384448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-04-29 14:34 - 2014-05-03 15:25 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-04-23 13:55 - 2014-04-23 13:49 - 125481720 _____ () C:\Users\Chris\Downloads\Morgenstern_01_mp3.zip
2014-04-22 11:33 - 2009-12-24 15:38 - 00000000 ____D () C:\Users\Chris\Documents\T-Online Rechnungen
2014-04-21 12:53 - 2012-03-28 17:19 - 00699416 _____ () C:\Windows\system32\perfh007.dat
2014-04-21 12:53 - 2012-03-28 17:19 - 00149556 _____ () C:\Windows\system32\perfc007.dat
2014-04-21 12:53 - 2009-07-14 07:13 - 01620612 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-20 18:07 - 2014-04-20 18:07 - 00100312 _____ (Intel Corporation) C:\Windows\system32\Drivers\TeeDriverx64.sys
2014-04-20 18:05 - 2014-04-20 18:02 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-04-20 18:05 - 2009-07-14 07:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-04-20 18:03 - 2014-04-20 18:03 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\Comodo
2014-04-20 18:02 - 2014-04-20 18:02 - 00000000 ____D () C:\ProgramData\Shared Space
2014-04-20 18:02 - 2014-04-20 18:02 - 00000000 ____D () C:\ProgramData\Comodo Downloader
2014-04-20 18:02 - 2012-06-24 14:01 - 00002282 _____ () C:\Users\Public\Desktop\COMODO Internet Security.lnk
2014-04-20 17:59 - 2009-07-14 06:57 - 00001547 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-04-20 17:57 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-04-20 17:56 - 2014-04-20 17:56 - 01795952 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01011.dll
2014-04-20 17:56 - 2014-04-20 17:56 - 00901848 _____ (Realtek ) C:\Windows\system32\Drivers\Rt64win7.sys
2014-04-20 17:56 - 2014-04-20 17:56 - 00073800 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RtNicProp64.dll
2014-04-20 17:56 - 2014-04-20 17:56 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_TeeDriverx64_01011.Wdf
2014-04-20 17:56 - 2012-03-28 17:31 - 00107552 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst64.dll
2014-04-20 17:50 - 2013-12-24 16:15 - 00001064 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-04-20 17:50 - 2013-12-24 16:15 - 00001052 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-04-20 17:45 - 2014-04-20 17:45 - 00003158 _____ () C:\Windows\System32\Tasks\Driver Booster Update
2014-04-20 17:45 - 2014-04-20 17:45 - 00002856 _____ () C:\Windows\System32\Tasks\Driver Booster SkipUAC (Chris)
2014-04-20 17:45 - 2014-04-20 17:45 - 00001132 _____ () C:\Users\Public\Desktop\Driver Booster.lnk
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\Users\Chris\AppData\Roaming\IObit
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Driver Booster
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\ProgramData\IObit
2014-04-20 17:45 - 2014-04-20 17:45 - 00000000 ____D () C:\Program Files (x86)\IObit
2014-04-20 17:44 - 2014-04-20 17:43 - 21297216 _____ (IObit ) C:\Users\Chris\Downloads\driver_booster_setup_1.3.exe
2014-04-16 23:12 - 2012-03-11 21:13 - 00738472 _____ (COMODO) C:\Windows\system32\Drivers\cmdGuard.sys
2014-04-16 23:12 - 2012-03-11 21:13 - 00048360 _____ (COMODO) C:\Windows\system32\Drivers\cmdhlp.sys
2014-04-16 23:12 - 2012-03-11 21:13 - 00023168 _____ (COMODO) C:\Windows\system32\Drivers\cmderd.sys
2014-04-16 23:12 - 2012-02-03 19:27 - 00105552 _____ (COMODO) C:\Windows\system32\Drivers\inspect.sys
2014-04-14 04:24 - 2014-05-06 12:49 - 00465408 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-04-14 04:19 - 2014-05-06 12:49 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
LastRegBack: 2014-05-11 15:50
==================== End Of Log ============================
--- --- --- |
|
14.05.2014, 11:35
| #14 | |
| /// the machine /// TB-Ausbilder | phising mail möglw. von gmail account verschicktZitat:
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
14.05.2014, 12:06
| #15 |
| | phising mail möglw. von gmail account verschickt was soll das sein? |
|
| Themen zu phising mail möglw. von gmail account verschickt |
| account, delivery, failed, gepostet, gescannt, gmail, gmer, logfile, mail, mail delivery, mail delivery failed, mails, phishing, phising, phising mail, rootkit, vermute, verschickt |
Linear-Darstellung
