| |
| |||||||
Log-Analyse und Auswertung: Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviertWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
08.02.2015, 02:04
| #1 |
 |  Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Hallo, habe mal wieder ein "Baby" zum retten bekommen. Ist also nicht mein PC, kommt aber von privat. Daher auch die Verschlüsselung der Namen (...wie ihr gleich feststellen werdet). Das Problem ist oben schon kurz umrissen: Kurz nachdem Windows 8.1 gestartet ist (für meinen Geschmack - fürchterlich!), wird der Bildschirm durch eine "BKA"-Warnung, unterstützt durch Interpol, Europol, usw. verdeckt und man kann sich nur noch mittels "Affengriff" in den Shutdown-Modus einklinken. Auch der Taskmanager lässt sich dann nicht mehr aktivieren, jedoch hat man ein kurzes Zeitfenster vor der Meldung, in dem ich den TM starten konnte und einen Prozess (namens 7FA63AB57.cpp) unter "Autostart" deaktivieren konnte. Danach war die Systemnutzung wieder problemlos möglich. Ich war schon fast geneigt, den Rechner in diesem Zustand zurückzugeben, hab mich dann aber doch durchgerungen, das Problem an der Wurzel zu packen. Daher im Anschluss nun die ersten Logs. Herzlichen Dank schon mal im voraus für Eure Unterstützung!!! defogger: Code:
ATTFilter defogger_disable by jpshortstuff (23.02.10.1)
Log created at 00:39 on 08/02/2015 (*****)
Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.
Checking for services/drivers...
-=E.O.F=-
Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2015
Ran by ***** at 2015-02-08 00:43:46
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
FRST Logfile: FRST Logfile: FRST Logfile: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-02-2015
Ran by ***** (administrator) on WOHNZIMMER-PC on 08-02-2015 00:55:38
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Loaded Profiles: UpdatusUser & ***** (Available profiles: UpdatusUser & *****)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
Failed to access process -> csrss.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2874256 2012-12-07] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13267016 2013-01-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1276488 2013-01-18] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [LManager] => [X]
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-15] (Symantec Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-01-28] ( (Atheros Communications))
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2013-08-22] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [168616 2013-09-05] (NVIDIA Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75BA36AF7.lnk
ShortcutTarget: 75BA36AF7.lnk -> C:\ProgramData\7FA63AB57.cpp ()
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com/?fr=fp-comodo
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1264040666-3370852229-1384236812-1002 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A5991357-9741-4C3E-BB6C-B10DE74BD949}: [NameServer] 156.154.70.25,156.154.71.25
Tcpip\..\Interfaces\{CE2573B1-6E34-444D-B297-E4E20EB9EDD5}: [NameServer] 156.154.70.25,156.154.71.25
FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://de.yahoo.com?fr=fp-comodo
FF Keyword.URL: hxxp://de.search.yahoo.com/search?fr=ytff-comodo&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-images.xml
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-maps.xml
FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\Extensions\cliqz@cliqz.com.xpi [2014-12-01]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\extensions\cliqz@cliqz.com
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [Not Found]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227456 2013-01-28] (Qualcomm Atheros Commnucations)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2615368 2013-02-19] (Acer Incorporated)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [7618952 2014-12-13] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265304 2014-12-13] (COMODO)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [469648 2012-11-16] (Acer Incorporated)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [662088 2013-03-15] (Acer Incorporated)
R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [242912 2014-11-29] (Foxit Software Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2013-07-08] (Dritek System INC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-11-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-11-30] (Microsoft Corporation)
S2 Winmgmt; C:\ProgramData\75BA36AF7.zot [357376 2015-01-27] () [File not signed]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-01-28] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-09-24] (Microsoft Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-26] (Symantec Corporation)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20184 2014-12-09] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [807568 2014-12-09] (COMODO)
R1 cmdhlp; C:\Windows\system32\DRIVERS\cmdhlp.sys [35080 2014-12-09] (COMODO)
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [126208 2014-12-09] (COMODO)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2013-07-08] (Dritek System Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-11-30] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-08 00:42 - 2015-02-08 00:55 - 00000000 ____D () C:\FRST
2015-02-08 00:39 - 2015-02-08 00:39 - 00000000 _____ () C:\Users\*****\defogger_reenable
2015-02-08 00:33 - 2015-02-08 00:55 - 00000000 ____D () C:\Users\*****\Desktop\BKA-Virus Jan. 2015
2015-02-07 21:20 - 2015-02-07 21:21 - 00000000 ____D () C:\Users\*****\Doctor Web
2015-02-07 20:35 - 2015-02-07 20:36 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-30 22:12 - 2015-01-30 22:12 - 542121823 _____ () C:\WINDOWS\MEMORY.DMP
2015-01-30 22:12 - 2015-01-30 22:12 - 00787856 _____ () C:\WINDOWS\Minidump\013015-22203-01.dmp
2015-01-30 22:12 - 2015-01-30 22:12 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-27 11:09 - 2015-01-27 11:09 - 00357376 ____T () C:\ProgramData\75BA36AF7.zot
2015-01-27 11:06 - 2015-01-27 11:06 - 00200704 _____ () C:\ProgramData\7FA63AB57.cpp
2015-01-23 17:18 - 2015-01-23 17:18 - 00000424 _____ () C:\Users\*****\Desktop\Dieser PC - Verknüpfung.lnk
2015-01-18 16:27 - 2014-12-19 07:26 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-18 16:27 - 2014-12-12 03:04 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-18 16:27 - 2014-12-12 01:51 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-01-18 16:27 - 2014-12-09 02:50 - 00225280 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00535640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00531616 _____ (Microsoft Corporation) C:\WINDOWS\system32\ci.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00448792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00413248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00372408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00108944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00038264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-08 20:42 - 00033584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-06 04:17 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncsi.dll
2015-01-18 16:27 - 2014-12-06 02:41 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-18 16:27 - 2014-12-06 02:35 - 00229888 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-01-18 16:27 - 2014-10-29 05:00 - 00465320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2015-01-18 16:27 - 2014-10-29 05:00 - 00139984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:52 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00413136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00136296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:07 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 03:44 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:59 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:24 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlaapi.dll
2015-01-18 16:27 - 2014-10-29 02:02 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-01-18 16:27 - 2014-10-29 02:01 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-08 00:53 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-08 00:47 - 2014-11-29 22:31 - 01474832 _____ () C:\WINDOWS\system32\Drivers\sfi.dat
2015-02-08 00:39 - 2014-11-30 14:13 - 00000000 ____D () C:\Users\*****
2015-02-08 00:36 - 2014-03-04 03:24 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1264040666-3370852229-1384236812-1002
2015-02-08 00:32 - 2014-11-30 14:56 - 00000000 ____D () C:\Users\*****\OneDrive
2015-02-08 00:28 - 2013-08-22 15:46 - 00327631 _____ () C:\WINDOWS\setupact.log
2015-02-08 00:28 - 2013-08-22 15:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-08 00:27 - 2014-11-30 14:06 - 01838671 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-08 00:27 - 2014-05-18 22:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-08 00:27 - 2013-08-22 14:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-08 00:02 - 2014-12-14 10:56 - 00000884 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-07 21:43 - 2014-09-23 22:06 - 00154044 _____ () C:\WINDOWS\PFRO.log
2015-02-07 21:22 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-07 21:02 - 2014-12-14 10:56 - 00003772 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-01-30 23:10 - 2014-03-04 03:16 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Adobe
2015-01-26 15:22 - 2014-09-24 07:17 - 02121612 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-26 15:22 - 2014-09-24 06:43 - 01021576 _____ () C:\WINDOWS\system32\perfh007.dat
2015-01-26 15:22 - 2014-09-24 06:43 - 00243696 _____ () C:\WINDOWS\system32\perfc007.dat
2015-01-26 08:33 - 2014-11-29 18:10 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-26 08:33 - 2012-07-26 08:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-01-26 08:29 - 2014-11-29 18:10 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-23 17:21 - 2014-07-26 18:53 - 00000000 ____D () C:\Users\*****\AppData\Local\clear.fi
2015-01-23 17:15 - 2014-12-13 09:46 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-01-23 17:15 - 2014-12-13 09:46 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
==================== Files in the root of some directories =======
2015-01-27 11:09 - 2015-01-27 11:09 - 0357376 ____T () C:\ProgramData\75BA36AF7.zot
2015-01-27 11:06 - 2015-01-27 11:06 - 0200704 _____ () C:\ProgramData\7FA63AB57.cpp
2013-07-08 15:44 - 2013-07-08 15:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-01-30 23:35
==================== End Of Log ============================
--- --- --- --- --- --- --- --- --- Das GMER Log muss ich leider anhängen, das es schon jetzt mit über 600K Zeichen den Rahmen sprengt. :/ Geändert von Pappa Bear (08.02.2015 um 02:19 Uhr) |
|
08.02.2015, 07:47
| #2 |
| /// the machine /// TB-Ausbilder    | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke.  So funktioniert es:Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
Addition.txt fehlt noch 
__________________ |
|
08.02.2015, 12:06
| #3 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Ok, dann zerleg ich den GMER-Report mal in forumsgerechte Teile. ;o)
__________________Und die Addition hatte ich eigentlich schon an Position 2 gepostet. Die war so leer. Oder muss ich ihn 2x drüber laufen lassen? Danke für deine schnelle Hilfe. GMER-Log: Code:
ATTFilter GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-02-08 01:10:00
Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e TOSHIBA_MQ01ABD100 rev.AX003J 931,51GB
Running: Gmer-19357.exe; Driver: C:\Users\*****\AppData\Local\Temp\kgrcauoc.sys
---- User code sections - GMER 2.1 ----
.text C:\WINDOWS\system32\csrss.exe[520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff91f3e1720 8 bytes JMP 00007ff91f5000d8
.text C:\WINDOWS\system32\csrss.exe[520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff91f3e1920 8 bytes JMP 00007ff91f500110
.text C:\WINDOWS\system32\csrss.exe[520] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 8 bytes JMP 00007ff91f500148
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 95]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7F]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 8D]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 89]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8F]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6F]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 87]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 77]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 79]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 8B]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 99]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 6B]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 69]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 81]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 71]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 6D]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 75]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 73]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 91]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 97]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 83]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 93]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x85d150]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x7bd0b0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x7dd020]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff91f20f980 6 bytes {JMP QWORD [RIP+0x3706b0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff91f2402a4 6 bytes {JMP QWORD [RIP+0x31fd8c]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb4ee80]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xb2ee30]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xaaee20]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa8ee10]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb6eb90]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb8eb40]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xbce400]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xb0e3e0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x92d720]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8ecb60]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x9abf10]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xc0b1c0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x96ae00]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xac9960]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8c96c0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9e742c]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x8a611c]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8457d0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x8038a0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 88]
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0xa21cf0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xc21b50]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xae13dc]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x85de1c]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x93d620]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xbdc600]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8f9f08]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa40ab0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb7c950]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x959e80]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x9d9b50]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7b63d0]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xc052c4]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7d26b8]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9c39f8]}
.text C:\WINDOWS\system32\services.exe[728] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9430ac]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\lsass.exe[736] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 95]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7F]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 8D]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8F]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6F]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 87]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 77]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 79]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 8B]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 99]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 6B]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 69]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 81]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 75]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 73]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 91]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 97]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 83]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 93]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x85d150]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x7bd0b0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x7dd020]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff91f20f980 6 bytes {JMP QWORD [RIP+0x3706b0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff91f2402a4 6 bytes {JMP QWORD [RIP+0x31fd8c]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb4ee80]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xb2ee30]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xaaee20]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa8ee10]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb6eb90]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb8eb40]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xbce400]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xb0e3e0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x92d720]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8ecb60]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x9abf10]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xc0b1c0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x96ae00]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xac9960]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8c96c0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9e742c]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x8a611c]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8457d0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x8038a0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 88]
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0xa21cf0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xc21b50]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xae13dc]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x85de1c]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x93d620]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xbdc600]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8f9f08]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa40ab0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb7c950]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x959e80]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x9d9b50]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7b63d0]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xc052c4]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7d26b8]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9c39f8]}
.text C:\WINDOWS\system32\svchost.exe[836] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9430ac]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 95]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7F]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 8D]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8F]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6F]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 87]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 77]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 79]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 8B]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 99]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 6B]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 69]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 81]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 75]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 73]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 91]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 97]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 83]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 93]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x85d150]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x7bd0b0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x7dd020]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff91f20f980 6 bytes {JMP QWORD [RIP+0x3706b0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff91f2402a4 6 bytes {JMP QWORD [RIP+0x31fd8c]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb4ee80]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xb2ee30]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xaaee20]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa8ee10]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb6eb90]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb8eb40]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xbce400]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xb0e3e0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x92d720]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8ecb60]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x9abf10]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xc0b1c0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x96ae00]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xac9960]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8c96c0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9e742c]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x8a611c]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8457d0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x8038a0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 88]
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0xa21cf0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xc21b50]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xae13dc]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x85de1c]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x93d620]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xbdc600]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8f9f08]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa40ab0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb7c950]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x959e80]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x9d9b50]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7b63d0]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xc052c4]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7d26b8]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9c39f8]}
.text C:\WINDOWS\system32\svchost.exe[888] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9430ac]}
|
|
08.02.2015, 12:07
| #4 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -2- Code:
ATTFilter .text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 20]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x269770]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 24]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes JMP 4a4a4a4a
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\system32\nvvsvc.exe[984] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\svchost.exe[292] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\System32\svchost.exe[440] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 95]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7F]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 8D]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8F]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6F]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 87]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 77]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 79]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 8B]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 99]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 6B]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 69]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 81]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 75]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 73]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 91]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 97]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 83]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 93]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x85d150]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x7bd0b0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x7dd020]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff91f20f980 6 bytes {JMP QWORD [RIP+0x3706b0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff91f2402a4 6 bytes {JMP QWORD [RIP+0x31fd8c]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb4ee80]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xb2ee30]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xaaee20]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa8ee10]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb6eb90]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb8eb40]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xbce400]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xb0e3e0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x92d720]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8ecb60]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x9abf10]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xc0b1c0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x96ae00]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xac9960]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8c96c0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9e742c]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x8a611c]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8457d0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x8038a0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 88]
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0xa21cf0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xc21b50]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xae13dc]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x85de1c]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x93d620]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xbdc600]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8f9f08]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa40ab0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb7c950]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x959e80]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x9d9b50]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7b63d0]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xc052c4]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7d26b8]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9c39f8]}
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9430ac]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\svchost.exe[400] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 20]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x269770]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 24]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\WINDOWS\system32\igfxCUIService.exe[1036] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
|
|
08.02.2015, 12:11
| #5 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -3- Code:
ATTFilter .text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\System32\svchost.exe[1112] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\System32\spoolsv.exe[1476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 95]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 8D]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 87]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 77]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 79]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 8B]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 99]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 6B]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 69]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 81]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 75]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 73]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 91]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 97]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 83]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 93]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x85d150]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x7bd0b0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x7dd020]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIf3 00007ff91f20f980 6 bytes {JMP QWORD [RIP+0x3706b0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\RPCRT4.dll!RpcServerRegisterIfEx 00007ff91f2402a4 6 bytes {JMP QWORD [RIP+0x31fd8c]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb4ee80]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xb2ee30]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xaaee20]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa8ee10]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb6eb90]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb8eb40]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xbce400]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xb0e3e0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x92d720]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8ecb60]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x9abf10]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xc0b1c0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x96ae00]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xac9960]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8c96c0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9e742c]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x8a611c]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8457d0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x8038a0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 88]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0xa21cf0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xc21b50]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xae13dc]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x85de1c]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x93d620]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xbdc600]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8f9f08]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa40ab0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb7c950]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x959e80]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x9d9b50]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7b63d0]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xc052c4]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7d26b8]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9c39f8]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9430ac]}
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1516] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[1684] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 20]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x269770]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 24]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dashost.exe[1772] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
|
|
08.02.2015, 12:13
| #6 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -4- Code:
ATTFilter .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes JMP 432043c
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes JMP be1
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes JMP 7ff9
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes JMP f000000
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes JMP 433d6874
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes JMP 0
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes JMP 61006c
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1820] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1629770]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes JMP 0
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff915c11f6a 4 bytes [C1, 15, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff915c11f82 4 bytes [C1, 15, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[1924] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes CALL 0
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x269770]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 24]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\RfBtnSvc64.exe[1964] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\svchost.exe[1636] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2388] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
|
|
08.02.2015, 12:16
| #7 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -5- Code:
ATTFilter .text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\SearchIndexer.exe[3044] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes JMP c
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes JMP 442
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes JMP 2d0031
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes JMP 29292929
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[4088] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\csrss.exe[3428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff91f3e1720 8 bytes JMP 00007ff91f5000d8
.text C:\WINDOWS\system32\csrss.exe[3428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff91f3e1920 8 bytes JMP 00007ff91f500110
.text C:\WINDOWS\system32\csrss.exe[3428] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 8 bytes JMP 00007ff91f500148
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ff91e7628c0 7 bytes JMP 00007ffa1ca602d0
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ff91e7643d8 7 bytes JMP 00007ffa1ca60308
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ff91e811f20 7 bytes JMP 00007ffa1ca60378
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ff91e8140b4 7 bytes JMP 00007ffa1ca603b0
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ff91e814510 7 bytes JMP 00007ffa1ca60340
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ff91e814af0 7 bytes JMP 00007ffa1ca60260
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff91e83cea0 7 bytes JMP 00007ffa1ca60228
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff91e83cf10 7 bytes JMP 00007ffa1ca60298
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ff91ca7299c 7 bytes JMP 00007ffa1ca600d8
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ff91ca754c8 5 bytes JMP 00007ffa1ca60180
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ff91ca755b0 5 bytes JMP 00007ffa1ca60148
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ff91ca75e58 5 bytes JMP 00007ffa1ca60110
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ff91ee07834 10 bytes JMP 00007ffa1ca60490
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ff91ee0b4d0 5 bytes JMP 00007ffa1ca60420
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ff91ee0c6d8 5 bytes JMP 00007ffa1ca60458
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ff91ee0e39c 9 bytes JMP 00007ffa1ca603e8
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ff91efe1500 8 bytes JMP 00007ffa1ca601b8
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ff91efe1750 8 bytes JMP 00007ffa1ca601f0
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ff91a297a88 5 bytes JMP 00007ffa1a250110
.text C:\WINDOWS\system32\dwm.exe[2252] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ff91a2a4990 5 bytes JMP 00007ffa1a2500d8
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes JMP 740061
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes JMP 300030
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes JMP 780065
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes JMP 300030
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes JMP 6e006f
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes JMP 340002
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes JMP 69006c
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes JMP 1
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes JMP 530057
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3176] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes JMP 1437
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes JMP 0
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 20]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x269770]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 24]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes JMP 750072
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes JMP 3a87
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\nvvsvc.exe[3184] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
|
|
08.02.2015, 12:19
| #8 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -6- Code:
ATTFilter .text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\taskhostex.exe[284] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1629770]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1600780]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes JMP f630fb1
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes JMP 6f01f4
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes JMP 340002
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes JMP 0
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes JMP 0
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes JMP 4d004d
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes JMP 6f0070
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes JMP 0
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes JMP 690074
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes JMP c709a4ff
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\Explorer.EXE[1332] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1629770]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1600780]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\skydrive.exe[3776] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\RuntimeBroker.exe[992] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes JMP 0
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3256] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
|
|
08.02.2015, 12:21
| #9 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -7- Code:
ATTFilter .text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes JMP baf
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes JMP 2f50000
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes JMP a30
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes JMP 630073
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes JMP 720065
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes JMP 1
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff915c11f6a 4 bytes [C1, 15, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[296] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff915c11f82 4 bytes [C1, 15, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes JMP 440065
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes JMP 0
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe[2724] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrl.exe[2860] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\SettingSyncHost.exe[3620] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes JMP fffff901
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1056] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
|
|
08.02.2015, 12:22
| #10 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert -8- Code:
ATTFilter .text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes JMP 0
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes JMP 1e4
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes JMP 5cc0490
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes JMP 5c0068
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Elantech\ETDCtrlHelper.exe[4008] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 4 bytes {CALL QWORD [RIP+0x161a994]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1679770]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1650780]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3556] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1629770]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1600780]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\Windows\System32\igfxTray.exe[2640] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x1629770]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 6 bytes {JMP QWORD [RIP+0x1600780]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxEM.exe[3076] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrUnloadDll 00007ff91f371838 6 bytes {JMP QWORD [RIP+0x1de7f8]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtClose 00007ff91f3e1760 5 bytes [FF, 25, D0, E8, 14]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationProcess 00007ff91f3e1830 5 bytes [FF, 25, 00, E8, 91]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff91f3e1930 5 bytes [FF, 25, 00, E7, 7B]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenFile 00007ff91f3e19a0 5 bytes [FF, 25, 90, E6, 89]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff91f3e19e0 5 bytes [FF, 25, 50, E6, 85]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00007ff91f3e1a80 5 bytes [FF, 25, B0, E5, 8B]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff91f3e1af0 5 bytes [FF, 25, 40, E5, 6B]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff91f3e1b10 5 bytes [FF, 25, 20, E5, 83]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff91f3e1b50 5 bytes [FF, 25, E0, E4, 73]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff91f3e1ba0 5 bytes [FF, 25, 90, E4, 75]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateFile 00007ff91f3e1bc0 5 bytes [FF, 25, 70, E4, 87]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00007ff91f3e1dd0 5 bytes [FF, 25, 60, E2, 95]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcCreatePort 00007ff91f3e1df0 5 bytes [FF, 25, 40, E2, 67]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff91f3e1ef0 5 bytes [FF, 25, 40, E1, 65]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtConnectPort 00007ff91f3e1ff0 5 bytes [FF, 25, 40, E0, 7D]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff91f3e2040 5 bytes [FF, 25, F0, DF, 6D]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff91f3e20d0 5 bytes [FF, 25, 60, DF, 69]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreatePort 00007ff91f3e2100 5 bytes [FF, 25, 30, DF, 71]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff91f3e2160 5 bytes [FF, 25, D0, DE, 6F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00007ff91f3e2170 5 bytes [FF, 25, C0, DE, 8D]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff91f3e2180 5 bytes [FF, 25, B0, DE, 93]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff91f3e2590 5 bytes [FF, 25, A0, DA, 7F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00007ff91f3e2620 5 bytes [FF, 25, 10, DA, 8F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff91f3e2ee0 6 bytes {JMP QWORD [RIP+0x81d150]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff91f3e2f80 6 bytes {JMP QWORD [RIP+0x77d0b0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff91f3e3010 6 bytes {JMP QWORD [RIP+0x79d020]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 198 00007ff91ca75676 3 bytes [94, A9, 10]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW 00007ff91ca868c0 6 bytes {JMP QWORD [RIP+0x219770]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\KERNELBASE.dll!SetProcessShutdownParameters 00007ff91ca8f8b0 5 bytes [FF, 25, 80, 07, 1F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!MoveWindow 00007ff91ee011b0 6 bytes {JMP QWORD [RIP+0xb0ee80]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetParent 00007ff91ee01200 6 bytes {JMP QWORD [RIP+0xaeee30]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!GetKeyboardState 00007ff91ee01210 6 bytes {JMP QWORD [RIP+0xa6ee20]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendInput 00007ff91ee01220 6 bytes {JMP QWORD [RIP+0xa4ee10]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetClipboardViewer 00007ff91ee014a0 6 bytes {JMP QWORD [RIP+0xb2eb90]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!BlockInput 00007ff91ee014f0 6 bytes {JMP QWORD [RIP+0xb4eb40]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!RegisterHotKey 00007ff91ee01c30 6 bytes {JMP QWORD [RIP+0xb8e400]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!RegisterRawInputDevices 00007ff91ee01c50 6 bytes {JMP QWORD [RIP+0xace3e0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!PostThreadMessageW 00007ff91ee02910 6 bytes {JMP QWORD [RIP+0x8ed720]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!PostMessageW 00007ff91ee034d0 6 bytes {JMP QWORD [RIP+0x8acb60]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutW + 1 00007ff91ee04121 5 bytes {JMP QWORD [RIP+0x96bf10]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoW 00007ff91ee04e70 6 bytes {JMP QWORD [RIP+0xbcb1c0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageW 00007ff91ee05230 6 bytes {JMP QWORD [RIP+0x92ae00]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!GetKeyState + 1 00007ff91ee066d1 5 bytes {JMP QWORD [RIP+0xa89960]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!PostMessageA 00007ff91ee06970 6 bytes {JMP QWORD [RIP+0x8896c0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackW 00007ff91ee08c04 6 bytes {JMP QWORD [RIP+0x9a742c]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetWindowLongW 00007ff91ee09f14 6 bytes {JMP QWORD [RIP+0x86611c]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW 00007ff91ee0a860 6 bytes {JMP QWORD [RIP+0x8057d0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!mouse_event 00007ff91ee0c790 6 bytes {JMP QWORD [RIP+0x7c38a0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetWindowLongA 00007ff91ee0d938 5 bytes [FF, 25, F8, 26, 84]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageW 00007ff91ee0e340 6 bytes {JMP QWORD [RIP+0x9e1cf0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!EnableWindow 00007ff91ee0e4e0 6 bytes {JMP QWORD [RIP+0xbe1b50]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!GetAsyncKeyState 00007ff91ee0ec54 6 bytes {JMP QWORD [RIP+0xaa13dc]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetWinEventHook + 1 00007ff91ee12215 5 bytes {JMP QWORD [RIP+0x81de1c]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageA 00007ff91ee12a10 6 bytes {JMP QWORD [RIP+0x8fd620]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SystemParametersInfoA 00007ff91ee13a30 6 bytes {JMP QWORD [RIP+0xb9c600]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!PostThreadMessageA 00007ff91ee16128 6 bytes {JMP QWORD [RIP+0x8b9f08]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageW 00007ff91ee2f580 6 bytes {JMP QWORD [RIP+0xa00ab0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!GetClipboardData 00007ff91ee336e0 6 bytes {JMP QWORD [RIP+0xb3c950]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageTimeoutA 00007ff91ee361b0 6 bytes {JMP QWORD [RIP+0x919e80]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendNotifyMessageA 00007ff91ee364e0 6 bytes {JMP QWORD [RIP+0x999b50]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!keybd_event 00007ff91ee39c60 6 bytes {JMP QWORD [RIP+0x7763d0]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!ExitWindowsEx 00007ff91ee4ad6c 6 bytes {JMP QWORD [RIP+0xbc52c4]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA 00007ff91ee5d978 6 bytes {JMP QWORD [RIP+0x7926b8]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendDlgItemMessageA 00007ff91ee8c638 6 bytes {JMP QWORD [RIP+0x9839f8]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\USER32.dll!SendMessageCallbackA 00007ff91ee8cf84 6 bytes {JMP QWORD [RIP+0x9030ac]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!BitBlt 00007ff91efe3bb0 6 bytes {JMP QWORD [RIP+0x1fc480]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!CreateDCA 00007ff91eff2eec 6 bytes {JMP QWORD [RIP+0x15d144]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!CreateDCW 00007ff91eff30d0 6 bytes {JMP QWORD [RIP+0x17cf60]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!StretchBlt 00007ff91effe77c 6 bytes {JMP QWORD [RIP+0x5918b4]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!GetPixel 00007ff91effe8e0 6 bytes {JMP QWORD [RIP+0x191750]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!MaskBlt 00007ff91f006598 6 bytes {JMP QWORD [RIP+0x4f9a98]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\GDI32.dll!PlgBlt 00007ff91f053514 6 bytes {JMP QWORD [RIP+0x51cb1c]}
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff91f33169a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff91f3316a2 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff91f33181a 4 bytes [33, 1F, F9, 7F]
.text C:\WINDOWS\system32\igfxHK.exe[4716] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff91f331832 4 bytes [33, 1F, F9, 7F]
---- Threads - GMER 2.1 ----
Thread C:\WINDOWS\system32\csrss.exe [3428:1692] fffff9600088bb90
---- Processes - GMER 2.1 ----
Library c:\progra~3\75ba36af7.zot (*** suspicious ***) @ C:\WINDOWS\system32\svchost.exe [616](2015-01-27 10:09:24) 000000007c000000
Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1007_x86__kzf8qxf38zg5c\Microsoft.PerfTrack.dll (*** suspicious ***) @ C:\WINDOWS\syswow64\wwahost.exe [1316] (Microsoft.PerfTrack.dll/Microsoft Corporation)(2014-09-24 06:04:07) 0000000073360000
Library C:\Program Files\WindowsApps\Microsoft.SkypeApp_3.1.0.1007_x86__kzf8qxf38zg5c\LibWrap.dll (*** suspicious ***) @ C:\WINDOWS\syswow64\wwahost.exe [1316] (Microsoft Skype/Microsoft Corporation)(2014-12-14 09:50:10) 000000006e060000
---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
---- EOF - GMER 2.1 ----
|
|
08.02.2015, 16:43
| #11 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Hallo Schrauber, ich muss mich entschuldigen. War wohl beim Addition ein wenig zu ungeduldig. Hatte den Eindruck, das FRST hatte sich beim "Extra-Check" aufgehängt und den Prozess gekillt. Jetzt hab ich es nochmal gestartet und einfach mal stehen lassen, und siehe da, nach gut 30 Min hat er mir ein brauchbares Ergebnis ausgespuckt. Siehe Box: Addition Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2015
Ran by ****** at 2015-02-08 14:24:12
Running from C:\Users\******\Desktop\BKA-Virus Jan. 2015
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
clear.fi SDK - Video 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
clear.fi SDK- Movie 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acer Device Fast-lane (HKLM\...\{3F62D2FD-13C1-49A2-8B5D-47623D9460D7}) (Version: 1.00.3011 - Acer Incorporated)
Acer Instant Update Service (HKLM\...\{81C6F800-A69B-4E70-9DC0-74732F8B00E7}) (Version: 1.00.3015 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3013 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
AcerCloud Docs (HKLM-x32\...\{CA4FE8B0-298C-4E5D-A486-F33B126D6A0A}) (Version: 1.01.2008 - Acer Incorporated)
AcerCloud Portal (HKLM-x32\...\{A5AD0B17-F34D-49BE-A157-C8B3D52ACD13}) (Version: 2.02.2021 - Acer Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
clear.fi Media (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.02.2012 - Acer Incorporated)
clear.fi Photo (HKLM-x32\...\{B5AD89F2-03D3-4206-8487-018298007DD0}) (Version: 2.02.2016 - Acer Incorporated)
Cliqz (HKLM-x32\...\{5A0C0737-6AFE-4DC6-A8B4-6DFE509ACD75}_is1) (Version: 0.5.31 - Cliqz.com)
COMODO Internet Security Premium (HKLM\...\{7B1A9CD1-B552-4FA7-BBC1-EDDEAB8855A7}) (Version: 8.0.0.4337 - COMODO Security Solutions Inc.)
CyberLink MediaEspresso 6.5 (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.3729_45993 - CyberLink Corp.)
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
eBay Worldwide (HKLM-x32\...\{91589413-6675-4C27-8AFC-EFB9103B90A5}) (Version: 2.4.0105 - OEM)
ETDWare PS/2-X64 11.6.17.002_WHQL (HKLM\...\Elantech) (Version: 11.6.17.002 - ELAN Microelectronic Corp.)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 2.1.32.905 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.0.3.916 - Foxit Software Inc.)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.4.1001 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Launch Manager (HKLM-x32\...\LManager) (Version: 7.0.10 - Acer Inc.)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 de) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 de)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nero BackItUp 12 Essentials OEM.a01 (HKLM-x32\...\{4CA8F973-6377-4ABF-9ED5-CC2323B3C000}) (Version: 12.5.00500 - Nero AG)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
NVIDIA Grafiktreiber 311.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.30 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Office Addin (HKLM-x32\...\{6D2BBE1D-E600-4695-BA37-0B0E605542CC}) (Version: 2.02.2008 - Acer)
Office Addin 2003 (HKLM-x32\...\{1FCC073B-CC01-4443-AD20-E559F66E6E83}) (Version: 2.02.2008 - Acer)
OpenOffice 4.1.1 (HKLM-x32\...\{ACD0FFF9-6B35-43C1-82DB-9FF6990E8602}) (Version: 4.11.9775 - Apache Software Foundation)
paint.net (HKLM\...\{F509C1F4-0029-49F9-B145-A4C4E8DF481A}) (Version: 4.0.3 - dotPDN LLC)
Prerequisite installer (x32 Version: 12.0.0003 - Nero AG) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.220 - Qualcomm Atheros Communications)
Qualcomm Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.7 - Qualcomm Atheros Communications Inc.)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.41 - Qualcomm Atheros)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6833 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.28124 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Spotify (HKLM-x32\...\Spotify) (Version: 0.8.4.99.ga249b5f1 - Spotify AB)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-1264040666-3370852229-1384236812-1002_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
==================== Restore Points =========================
Could not list restore points.
Check "winmgmt" service or repair WMI.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {34B5F279-7DA5-4330-87BD-89D99E9ECCBA} - System32\Tasks\iuBrowserIEAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe [2013-02-08] ()
Task: {35AB068A-60B1-4F7F-848C-7E37C6E048BD} - System32\Tasks\DeviceDetector => C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe [2013-02-08] (CyberLink)
Task: {52C554B3-246C-46D3-B6AD-7FA1E64E0629} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {6E403754-8FE2-467A-BEA5-B027DE37D598} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-07] (Adobe Systems Incorporated)
Task: {7B908A10-3C74-4CD2-86BE-C7F7C5AD3155} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-27] (Adobe Systems Incorporated)
Task: {998BB934-9149-41A3-98F8-0A0C390F9458} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTray.exe [2013-03-15] (Acer Incorporated)
Task: {C1DDFD9A-4E36-4E9B-A5CA-2E82CB9A9E06} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-01-26] (Microsoft Corporation)
Task: {CD32ACF4-E397-40C2-86C6-CB2B91014807} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {D94CFF4C-A713-4825-9F9E-09DA961ED5B8} - System32\Tasks\ALU => C:\Program Files (x86)\Acer\Live Updater\updater.exe [2013-03-13] ()
Task: {D9B313DA-8103-4F47-A417-147527C4920C} - System32\Tasks\iuEmailOutlookAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe [2013-02-08] ()
Task: {DB98D47B-A1AE-4C5B-8F2B-E318A3334ECD} - System32\Tasks\{31DDBD37-5DB7-4030-8064-10B0CAA806C3} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {DC757743-9568-45D6-9C81-B6F9114E4156} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2013-01-23] (Acer Incorporated)
Task: {DFD3FD88-BD72-4726-958E-DCE6DDD552D4} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {F445B4EE-FF5C-412F-B093-3A387E8AF118} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Acer\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {F451AF5B-5FE4-4CA1-AC2C-5B8B0B9608C4} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {FCA61716-C2ED-4049-86A2-E1F180474BEE} - System32\Tasks\Dolby Selector => C:\Dolby PCEE4\pcee4.exe [2012-08-31] (Dolby Laboratories Inc.)
Task: {FE3D98E8-E388-45D4-9B38-A44BD6C31DF5} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) ==============
2015-01-27 11:09 - 2015-01-27 11:09 - 00357376 ____T () c:\ProgramData\75ba36af7.zot
2013-09-05 02:36 - 2013-09-05 02:36 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2013-07-08 16:06 - 2013-02-20 21:58 - 00111176 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext_x64.dll
2013-01-28 13:45 - 2013-01-28 13:45 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-01-28 13:42 - 2013-01-28 13:42 - 00084992 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2013-01-28 13:47 - 2013-01-28 13:47 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00025672 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00044616 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
2013-04-15 17:39 - 2013-04-15 17:39 - 00073424 _____ () C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav
2013-07-08 15:35 - 2012-06-25 03:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-02-07 20:35 - 2015-02-07 20:36 - 03925104 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2013-02-20 21:58 - 2013-02-20 21:58 - 02290248 _____ () C:\Program Files (x86)\Acer\clear.fi Media\QtCore4.dll
2013-02-20 21:58 - 2013-02-20 21:58 - 08174152 _____ () C:\Program Files (x86)\Acer\clear.fi Media\QtGui4.dll
2013-02-20 21:58 - 2013-02-20 21:58 - 00197704 _____ () C:\Program Files (x86)\Acer\clear.fi Media\QtSql4.dll
2013-02-20 21:58 - 2013-02-20 21:58 - 00921672 _____ () C:\Program Files (x86)\Acer\clear.fi Media\QtNetwork4.dll
2013-02-20 21:58 - 2013-02-20 21:58 - 00277576 _____ () C:\Program Files (x86)\Acer\clear.fi Media\libcurl.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
AlternateDataStreams: C:\WINDOWS\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\adhsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bdesvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\BFE.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bisrv.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\fveapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\hal.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\httpprxm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ie4uinit.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\IKEEXT.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iphlpsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\lockscreencn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MDMAgent.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MRT.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\pcsvDevice.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ProximityService.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\reseteng.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\schedsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SET745D.tmp:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDrive.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveTelemetry.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SyncEngine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SystemEventsBrokerServer.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\uDWM.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vpnike.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcMon.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcWebSync.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFHost.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFPlatform.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFSvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d8thk.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhRichClient3.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\FlashPlayerApp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\PrintConfig.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\sqlite36_engine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agilevpn.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\mrxsmb.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\msgpioclx.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwififlt.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwifimp.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFPf.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFRd.sys:$CmdTcID
AlternateDataStreams: C:\Users\******\OneDrive:ms-properties
AlternateDataStreams: C:\Users\******\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdTcID
AlternateDataStreams: C:\Users\******\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdZnID
AlternateDataStreams: C:\Users\******\Downloads\document.pdf:$CmdTcID
AlternateDataStreams: C:\Users\******\Downloads\document.pdf:$CmdZnID
AlternateDataStreams: C:\Users\******\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdTcID
AlternateDataStreams: C:\Users\******\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdZnID
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) ===============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== Other Registry Areas =====================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\******\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\StartupApproved\StartupFolder: => "75BA36AF7.lnk"
==================== Accounts: =============================
Administrator (S-1-5-21-1264040666-3370852229-1384236812-500 - Administrator - Disabled)
****** (S-1-5-21-1264040666-3370852229-1384236812-1002 - Administrator - Enabled) => C:\Users\******
Gast (S-1-5-21-1264040666-3370852229-1384236812-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-1264040666-3370852229-1384236812-1001 - Limited - Enabled) => C:\Users\UpdatusUser
==================== Faulty Device Manager Devices =============
Could not list Devices. Check "winmgmt" service or repair WMI.
==================== Event log errors: =========================
Application errors:
==================
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:35:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ClearfiMedia.exe, Version: 2.2.2011.0, Zeitstempel: 0x5124e447
Name des fehlerhaften Moduls: ClearfiMedia.exe, Version: 2.2.2011.0, Zeitstempel: 0x5124e447
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000e6856
ID des fehlerhaften Prozesses: 0x1d18
Startzeit der fehlerhaften Anwendung: 0xClearfiMedia.exe0
Pfad der fehlerhaften Anwendung: ClearfiMedia.exe1
Pfad des fehlerhaften Moduls: ClearfiMedia.exe2
Berichtskennung: ClearfiMedia.exe3
Vollständiger Name des fehlerhaften Pakets: ClearfiMedia.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: ClearfiMedia.exe5
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:22:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm FRST64.exe, Version 7.2.2015.0 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.
Prozess-ID: dd0
Startzeit: 01d043a1faa0e559
Endzeit: 4294967295
Anwendungspfad: C:\Users\******\Desktop\BKA-Virus Jan. 2015\FRST64.exe
Berichts-ID: 7f007615-af95-11e4-be86-2cd05af9bb94
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
Error: (02/08/2015 02:16:00 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 02:16:00 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
System errors:
=============
Error: (02/08/2015 03:16:55 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%127
Error: (02/08/2015 03:16:55 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 03:14:54 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%127
Error: (02/08/2015 03:14:54 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 03:12:54 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%127
Error: (02/08/2015 03:12:54 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 03:10:54 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%127
Error: (02/08/2015 03:10:54 PM) (Source: DCOM) (EventID: 10010) (User: WOHNZIMMER-PC)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 03:08:54 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%127
Error: (02/08/2015 03:08:54 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Microsoft Office Sessions:
=========================
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
Error: (02/08/2015 02:39:24 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.Manifest4
Error: (02/08/2015 02:35:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ClearfiMedia.exe2.2.2011.05124e447ClearfiMedia.exe2.2.2011.05124e447c0000005000e68561d1801d043a1a04bc9e2C:\Program Files (x86)\Acer\clear.fi Media\ClearfiMedia.exeC:\Program Files (x86)\Acer\clear.fi Media\ClearfiMedia.exe47395284-af97-11e4-be86-2cd05af9bb94
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
Error: (02/08/2015 02:28:04 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.Manifest4
Error: (02/08/2015 02:22:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: FRST64.exe7.2.2015.0dd001d043a1faa0e5594294967295C:\Users\******\Desktop\BKA-Virus Jan. 2015\FRST64.exe7f007615-af95-11e4-be86-2cd05af9bb94
Error: (02/08/2015 02:16:00 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/08/2015 02:16:00 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
CodeIntegrity Errors:
===================================
Date: 2015-02-08 14:18:02.133
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 11:49:47.997
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 02:10:46.561
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 01:05:02.448
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 00:54:56.821
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 00:31:59.100
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 00:08:59.411
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-07 23:28:13.379
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-07 23:07:35.532
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-07 22:11:43.580
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 23%
Total physical RAM: 8010.27 MB
Available physical RAM: 6124.85 MB
Total Pagefile: 16202.27 MB
Available Pagefile: 13568.19 MB
Total Virtual: 131072 MB
Available Virtual: 131071.85 MB
==================== Drives ================================
Drive c: (Acer) (Fixed) (Total:913.26 GB) (Free:869.56 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: D0200254)
Partition: GPT Partition Type.
==================== End Of Log ============================
|
|
08.02.2015, 18:35
| #12 |
| /// the machine /// TB-Ausbilder | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Downloade Dir bitte  Malwarebytes Anti-Malware
Downloade Dir bitte  AdwCleaner auf deinen Desktop.
Beende bitte Deine Schutzsoftware um eventuelle Konflikte zu vermeiden.
und ein frisches FRST log bitte.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
08.02.2015, 23:21
| #13 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert Ok, here we go: 1. MBAM-Log: Code:
ATTFilter Malwarebytes Anti-Malware www.malwarebytes.org Suchlauf Datum: 08.02.2015 Suchlauf-Zeit: 19:43:05 Logdatei: mbam1 (Orig).txt Administrator: Ja Version: 2.00.4.1028 Malware Datenbank: v2015.02.08.05 Rootkit Datenbank: v2015.02.03.01 Lizenz: Kostenlos Malware Schutz: Deaktiviert Bösartiger Webseiten Schutz: Deaktiviert Selbstschutz: Deaktiviert Betriebssystem: Windows 8.1 CPU: x64 Dateisystem: NTFS Benutzer: ***** Suchlauf-Art: Bedrohungs-Suchlauf Ergebnis: Abgeschlossen Durchsuchte Objekte: 397277 Verstrichene Zeit: 20 Min, 26 Sek Speicher: Aktiviert Autostart: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristik: Aktiviert PUP: Aktiviert PUM: Aktiviert Prozesse: 0 (Keine schädliche Elemente erkannt) Module: 0 (Keine schädliche Elemente erkannt) Registrierungsschlüssel: 0 (Keine schädliche Elemente erkannt) Registrierungswerte: 0 (Keine schädliche Elemente erkannt) Registrierungsdaten: 0 (Keine schädliche Elemente erkannt) Ordner: 0 (Keine schädliche Elemente erkannt) Dateien: 5 Trojan.Reveton.KR, C:\ProgramData\75BA36AF7.zot, Löschen bei Neustart, [6a9b0b112e5cda5c2360a47916ece917], Trojan.Agent.ED, C:\ProgramData\7FA63AB57.cpp, In Quarantäne, [ec1967b5fc8eb482a286749fe1217789], Trojan.Agent.ED, C:\Users\*****\AppData\Local\Temp\Low\5QRE.dll, In Quarantäne, [b4519b818208be78909833e0f210ed13], Trojan.Agent.ED, C:\Users\*****\AppData\Local\Temp\Low\iCJf.dll, In Quarantäne, [27de2eee7b0f64d2e44455bef30f15eb], Trojan.Agent.ED, C:\Users\*****\AppData\Local\Temp\Low\lFM4.dll, In Quarantäne, [fd08b8641674f1459692f023df238d73], Physische Sektoren: 0 (Keine schädliche Elemente erkannt) (end) Code:
ATTFilter # AdwCleaner v4.110 - Bericht erstellt 08/02/2015 um 21:02:35
# Aktualisiert 05/02/2015 von Xplode
# Datenbank : 2015-02-08.1 [Server]
# Betriebssystem : Windows 8.1 (x64)
# Benutzername : ***** - WOHNZIMMER-PC
# Gestarted von : C:\Users\*****\Desktop\BKA-Virus Jan. 2015\AdwCleaner_4.110.exe
# Option : Löschen
***** [ Dienste ] *****
***** [ Dateien / Ordner ] *****
***** [ Geplante Tasks ] *****
***** [ Verknüpfungen ] *****
***** [ Registrierungsdatenbank ] *****
Schlüssel Gelöscht : HKLM\SOFTWARE\Classes\CLSID\{00B11DA2-75ED-4364-ABA5-9A95B1F5E946}
Schlüssel Gelöscht : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Schlüssel Gelöscht : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Schlüssel Gelöscht : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Schlüssel Gelöscht : HKCU\Software\OCS
***** [ Internetbrowser ] *****
-\\ Internet Explorer v11.0.9600.17416
-\\ Mozilla Firefox v35.0.1 (x86 de)
*************************
AdwCleaner[R0].txt - [1449 Bytes] - [08/02/2015 20:18:37]
AdwCleaner[S0].txt - [1195 Bytes] - [08/02/2015 21:02:35]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1254 Bytes] ##########
Leider läuft er nun schon seit ca. 3,5h, hat aber bislang erst 2 Zeilen gepromptet: -Checking Startup -Checking Processes Und nu?? 4. FRST-Log: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-02-2015
Ran by ***** (administrator) on WOHNZIMMER-PC on 08-02-2015 21:14:49
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Loaded Profiles: UpdatusUser & ***** (Available profiles: UpdatusUser & *****)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
Failed to access process -> csrss.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Thisisu) C:\Users\*****\Desktop\BKA-Virus Jan. 2015\JRT.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Microsoft Corporation) C:\Windows\SysWOW64\taskkill.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2874256 2012-12-07] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13267016 2013-01-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1276488 2013-01-18] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [LManager] => [X]
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-15] (Symantec Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-01-28] ( (Atheros Communications))
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2013-08-22] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [168616 2013-09-05] (NVIDIA Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75BA36AF7.lnk
ShortcutTarget: 75BA36AF7.lnk -> C:\PROGRA~3\7FA63AB57.cpp (No File)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com/?fr=fp-comodo
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1264040666-3370852229-1384236812-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A5991357-9741-4C3E-BB6C-B10DE74BD949}: [NameServer] 156.154.70.25,156.154.71.25
Tcpip\..\Interfaces\{CE2573B1-6E34-444D-B297-E4E20EB9EDD5}: [NameServer] 156.154.70.25,156.154.71.25
FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://de.yahoo.com?fr=fp-comodo
FF Keyword.URL: hxxp://de.search.yahoo.com/search?fr=ytff-comodo&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-images.xml
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-maps.xml
FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\Extensions\cliqz@cliqz.com.xpi [2014-12-01]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\extensions\cliqz@cliqz.com
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [Not Found]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227456 2013-01-28] (Qualcomm Atheros Commnucations)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2615368 2013-02-19] (Acer Incorporated)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [7618952 2014-12-13] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265304 2014-12-13] (COMODO)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [469648 2012-11-16] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [662088 2013-03-15] (Acer Incorporated)
R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [242912 2014-11-29] (Foxit Software Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2013-07-08] (Dritek System INC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-11-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-11-30] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\75BA36AF7.zot [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-01-28] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-09-24] (Microsoft Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-26] (Symantec Corporation)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20184 2014-12-09] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [807568 2014-12-09] (COMODO)
R1 cmdhlp; C:\Windows\system32\DRIVERS\cmdhlp.sys [35080 2014-12-09] (COMODO)
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [126208 2014-12-09] (COMODO)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2013-07-08] (Dritek System Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-11-30] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-08 19:46 - 2015-02-08 21:02 - 00000000 ____D () C:\AdwCleaner
2015-02-08 19:41 - 2015-02-08 20:12 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-08 19:41 - 2015-02-08 19:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-08 19:41 - 2015-02-08 19:41 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-02-08 19:41 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-08 19:41 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-08 19:41 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-08 13:01 - 2015-02-08 13:01 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-08 02:13 - 2015-02-08 02:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-02-08 02:13 - 2015-02-08 02:13 - 00000000 ____D () C:\Program Files\7-Zip
2015-02-08 00:42 - 2015-02-08 21:14 - 00000000 ____D () C:\FRST
2015-02-08 00:39 - 2015-02-08 00:39 - 00000000 _____ () C:\Users\*****\defogger_reenable
2015-02-08 00:33 - 2015-02-08 21:14 - 00000000 ____D () C:\Users\*****\Desktop\BKA-Virus Jan. 2015
2015-02-07 21:20 - 2015-02-07 21:21 - 00000000 ____D () C:\Users\*****\Doctor Web
2015-01-30 22:12 - 2015-01-30 22:12 - 542121823 _____ () C:\WINDOWS\MEMORY.DMP
2015-01-30 22:12 - 2015-01-30 22:12 - 00787856 _____ () C:\WINDOWS\Minidump\013015-22203-01.dmp
2015-01-30 22:12 - 2015-01-30 22:12 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-23 17:18 - 2015-01-23 17:18 - 00000424 _____ () C:\Users\*****\Desktop\Dieser PC - Verknüpfung.lnk
2015-01-18 16:27 - 2014-12-19 07:26 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-18 16:27 - 2014-12-12 03:04 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-18 16:27 - 2014-12-12 01:51 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-01-18 16:27 - 2014-12-09 02:50 - 00225280 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00535640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00531616 _____ (Microsoft Corporation) C:\WINDOWS\system32\ci.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00448792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00413248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00372408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00108944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00038264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-08 20:42 - 00033584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-06 04:17 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncsi.dll
2015-01-18 16:27 - 2014-12-06 02:41 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-18 16:27 - 2014-12-06 02:35 - 00229888 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-01-18 16:27 - 2014-10-29 05:00 - 00465320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2015-01-18 16:27 - 2014-10-29 05:00 - 00139984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:52 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00413136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00136296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:07 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 03:44 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:59 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:24 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlaapi.dll
2015-01-18 16:27 - 2014-10-29 02:02 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-01-18 16:27 - 2014-10-29 02:01 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-08 21:13 - 2014-11-29 22:31 - 01474832 _____ () C:\WINDOWS\system32\Drivers\sfi.dat
2015-02-08 21:06 - 2014-11-30 14:56 - 00000000 ____D () C:\Users\*****\OneDrive
2015-02-08 21:03 - 2014-09-23 22:06 - 00155836 _____ () C:\WINDOWS\PFRO.log
2015-02-08 21:03 - 2014-05-18 22:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-08 21:03 - 2013-08-22 15:46 - 00327785 _____ () C:\WINDOWS\setupact.log
2015-02-08 21:03 - 2013-08-22 15:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-08 21:03 - 2013-08-22 14:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-08 21:02 - 2014-12-14 10:56 - 00000884 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-08 21:02 - 2014-11-30 14:06 - 01267557 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-08 21:00 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-08 20:04 - 2013-08-22 16:36 - 00000000 ___RD () C:\WINDOWS\Offline Web Pages
2015-02-08 16:31 - 2012-07-26 08:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-08 12:39 - 2014-03-04 03:24 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1264040666-3370852229-1384236812-1002
2015-02-08 12:32 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-08 00:39 - 2014-11-30 14:13 - 00000000 ____D () C:\Users\*****
2015-02-07 21:02 - 2014-12-14 10:56 - 00003772 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-02-03 20:31 - 2014-12-13 09:46 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 20:31 - 2014-12-13 09:46 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-30 23:10 - 2014-03-04 03:16 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Adobe
2015-01-26 15:22 - 2014-09-24 07:17 - 02121612 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-26 15:22 - 2014-09-24 06:43 - 01021576 _____ () C:\WINDOWS\system32\perfh007.dat
2015-01-26 15:22 - 2014-09-24 06:43 - 00243696 _____ () C:\WINDOWS\system32\perfc007.dat
2015-01-26 08:33 - 2014-11-29 18:10 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-26 08:29 - 2014-11-29 18:10 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-23 17:21 - 2014-07-26 18:53 - 00000000 ____D () C:\Users\*****\AppData\Local\clear.fi
==================== Files in the root of some directories =======
2013-07-08 15:44 - 2013-07-08 15:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Some content of TEMP:
====================
C:\Users\*****\AppData\Local\Temp\Quarantine.exe
C:\Users\*****\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-02-08 21:26
==================== End Of Log ============================
5. Addition-Log: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2015
Ran by ***** at 2015-02-08 21:15:25
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
clear.fi SDK - Video 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
clear.fi SDK- Movie 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acer Device Fast-lane (HKLM\...\{3F62D2FD-13C1-49A2-8B5D-47623D9460D7}) (Version: 1.00.3011 - Acer Incorporated)
Acer Instant Update Service (HKLM\...\{81C6F800-A69B-4E70-9DC0-74732F8B00E7}) (Version: 1.00.3015 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3013 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
AcerCloud Docs (HKLM-x32\...\{CA4FE8B0-298C-4E5D-A486-F33B126D6A0A}) (Version: 1.01.2008 - Acer Incorporated)
AcerCloud Portal (HKLM-x32\...\{A5AD0B17-F34D-49BE-A157-C8B3D52ACD13}) (Version: 2.02.2021 - Acer Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
clear.fi Media (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.02.2012 - Acer Incorporated)
clear.fi Photo (HKLM-x32\...\{B5AD89F2-03D3-4206-8487-018298007DD0}) (Version: 2.02.2016 - Acer Incorporated)
Cliqz (HKLM-x32\...\{5A0C0737-6AFE-4DC6-A8B4-6DFE509ACD75}_is1) (Version: 0.5.31 - Cliqz.com)
COMODO Internet Security Premium (HKLM\...\{7B1A9CD1-B552-4FA7-BBC1-EDDEAB8855A7}) (Version: 8.0.0.4337 - COMODO Security Solutions Inc.)
CyberLink MediaEspresso 6.5 (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.3729_45993 - CyberLink Corp.)
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
eBay Worldwide (HKLM-x32\...\{91589413-6675-4C27-8AFC-EFB9103B90A5}) (Version: 2.4.0105 - OEM)
ETDWare PS/2-X64 11.6.17.002_WHQL (HKLM\...\Elantech) (Version: 11.6.17.002 - ELAN Microelectronic Corp.)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 2.1.32.905 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.0.3.916 - Foxit Software Inc.)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.4.1001 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Launch Manager (HKLM-x32\...\LManager) (Version: 7.0.10 - Acer Inc.)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 35.0.1 (x86 de)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nero BackItUp 12 Essentials OEM.a01 (HKLM-x32\...\{4CA8F973-6377-4ABF-9ED5-CC2323B3C000}) (Version: 12.5.00500 - Nero AG)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
NVIDIA Grafiktreiber 311.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.30 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Office Addin (HKLM-x32\...\{6D2BBE1D-E600-4695-BA37-0B0E605542CC}) (Version: 2.02.2008 - Acer)
Office Addin 2003 (HKLM-x32\...\{1FCC073B-CC01-4443-AD20-E559F66E6E83}) (Version: 2.02.2008 - Acer)
OpenOffice 4.1.1 (HKLM-x32\...\{ACD0FFF9-6B35-43C1-82DB-9FF6990E8602}) (Version: 4.11.9775 - Apache Software Foundation)
paint.net (HKLM\...\{F509C1F4-0029-49F9-B145-A4C4E8DF481A}) (Version: 4.0.3 - dotPDN LLC)
Prerequisite installer (x32 Version: 12.0.0003 - Nero AG) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.220 - Qualcomm Atheros Communications)
Qualcomm Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.7 - Qualcomm Atheros Communications Inc.)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.41 - Qualcomm Atheros)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6833 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.28124 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Spotify (HKLM-x32\...\Spotify) (Version: 0.8.4.99.ga249b5f1 - Spotify AB)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-1264040666-3370852229-1384236812-1002_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
==================== Restore Points =========================
Could not list restore points.
Check "winmgmt" service or repair WMI.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {34B5F279-7DA5-4330-87BD-89D99E9ECCBA} - System32\Tasks\iuBrowserIEAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe [2013-02-08] ()
Task: {35AB068A-60B1-4F7F-848C-7E37C6E048BD} - System32\Tasks\DeviceDetector => C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe [2013-02-08] (CyberLink)
Task: {52C554B3-246C-46D3-B6AD-7FA1E64E0629} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {6E403754-8FE2-467A-BEA5-B027DE37D598} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-07] (Adobe Systems Incorporated)
Task: {7B908A10-3C74-4CD2-86BE-C7F7C5AD3155} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-27] (Adobe Systems Incorporated)
Task: {998BB934-9149-41A3-98F8-0A0C390F9458} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTray.exe [2013-03-15] (Acer Incorporated)
Task: {A0AAADA7-23A6-4B9D-8306-C7C35CEE857C} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-01-26] (Microsoft Corporation)
Task: {CD32ACF4-E397-40C2-86C6-CB2B91014807} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {D94CFF4C-A713-4825-9F9E-09DA961ED5B8} - System32\Tasks\ALU => C:\Program Files (x86)\Acer\Live Updater\updater.exe [2013-03-13] ()
Task: {D9B313DA-8103-4F47-A417-147527C4920C} - System32\Tasks\iuEmailOutlookAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe [2013-02-08] ()
Task: {DB98D47B-A1AE-4C5B-8F2B-E318A3334ECD} - System32\Tasks\{31DDBD37-5DB7-4030-8064-10B0CAA806C3} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {DC757743-9568-45D6-9C81-B6F9114E4156} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2013-01-23] (Acer Incorporated)
Task: {DFD3FD88-BD72-4726-958E-DCE6DDD552D4} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {F445B4EE-FF5C-412F-B093-3A387E8AF118} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Acer\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {F451AF5B-5FE4-4CA1-AC2C-5B8B0B9608C4} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {FCA61716-C2ED-4049-86A2-E1F180474BEE} - System32\Tasks\Dolby Selector => C:\Dolby PCEE4\pcee4.exe [2012-08-31] (Dolby Laboratories Inc.)
Task: {FE3D98E8-E388-45D4-9B38-A44BD6C31DF5} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) ==============
2013-09-05 02:36 - 2013-09-05 02:36 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2013-07-08 16:06 - 2013-02-20 21:58 - 00111176 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext_x64.dll
2013-01-28 13:45 - 2013-01-28 13:45 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-01-28 13:42 - 2013-01-28 13:42 - 00084992 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2013-01-28 13:47 - 2013-01-28 13:47 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00044616 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00025672 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
2013-07-08 15:35 - 2012-06-25 03:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-02-08 13:01 - 2015-02-08 13:01 - 03925104 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
AlternateDataStreams: C:\WINDOWS\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\adhsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bdesvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\BFE.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bisrv.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\fveapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\hal.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\httpprxm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ie4uinit.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\IKEEXT.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iphlpsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\lockscreencn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MDMAgent.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MRT.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\pcsvDevice.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ProximityService.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\reseteng.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\schedsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SET745D.tmp:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDrive.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveTelemetry.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SyncEngine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SystemEventsBrokerServer.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\uDWM.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vpnike.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcMon.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcWebSync.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFHost.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFPlatform.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFSvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d8thk.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhRichClient3.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\PrintConfig.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\sqlite36_engine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agilevpn.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\mrxsmb.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\msgpioclx.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwififlt.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwifimp.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFPf.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFRd.sys:$CmdTcID
AlternateDataStreams: C:\Users\*****\OneDrive:ms-properties
AlternateDataStreams: C:\Users\*****\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdZnID
AlternateDataStreams: C:\Users\*****\Downloads\document.pdf:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\document.pdf:$CmdZnID
AlternateDataStreams: C:\Users\*****\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdZnID
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) ===============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== Other Registry Areas =====================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\*****\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\StartupApproved\StartupFolder: => "75BA36AF7.lnk"
==================== Accounts: =============================
Administrator (S-1-5-21-1264040666-3370852229-1384236812-500 - Administrator - Disabled)
***** (S-1-5-21-1264040666-3370852229-1384236812-1002 - Administrator - Enabled) => C:\Users\*****
Gast (S-1-5-21-1264040666-3370852229-1384236812-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-1264040666-3370852229-1384236812-1001 - Limited - Enabled) => C:\Users\UpdatusUser
==================== Faulty Device Manager Devices =============
Could not list Devices. Check "winmgmt" service or repair WMI.
==================== Event log errors: =========================
Application errors:
==================
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/08/2015 09:37:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ePowerTray.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4ea
Name des fehlerhaften Moduls: ePowerTray.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4ea
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000000792c
ID des fehlerhaften Prozesses: 0xedc
Startzeit der fehlerhaften Anwendung: 0xePowerTray.exe0
Pfad der fehlerhaften Anwendung: ePowerTray.exe1
Pfad des fehlerhaften Moduls: ePowerTray.exe2
Berichtskennung: ePowerTray.exe3
Vollständiger Name des fehlerhaften Pakets: ePowerTray.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: ePowerTray.exe5
Error: (02/08/2015 09:15:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ePowerSvc.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4d9
Name des fehlerhaften Moduls: ePowerSvc.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4d9
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000000aa80
ID des fehlerhaften Prozesses: 0xef0
Startzeit der fehlerhaften Anwendung: 0xePowerSvc.exe0
Pfad der fehlerhaften Anwendung: ePowerSvc.exe1
Pfad des fehlerhaften Moduls: ePowerSvc.exe2
Berichtskennung: ePowerSvc.exe3
Vollständiger Name des fehlerhaften Pakets: ePowerSvc.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: ePowerSvc.exe5
Error: (02/08/2015 09:14:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Notification.exe, Version: 6.0.3007.0, Zeitstempel: 0x50ffcf8d
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eebf2e
Ausnahmecode: 0xe0434352
Fehleroffset: 0x000000000000606c
ID des fehlerhaften Prozesses: 0xbd4
Startzeit der fehlerhaften Anwendung: 0xNotification.exe0
Pfad der fehlerhaften Anwendung: Notification.exe1
Pfad des fehlerhaften Moduls: Notification.exe2
Berichtskennung: Notification.exe3
Vollständiger Name des fehlerhaften Pakets: Notification.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: Notification.exe5
Error: (02/08/2015 09:14:54 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: Notification.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.COMException
Stapel:
bei System.Management.ManagementScope.Initialize()
bei System.Management.ManagementObjectSearcher.Initialize()
bei System.Management.ManagementObjectSearcher.Get()
bei Notification.eRyBaseFunction.CheckPQServiceartition()
bei Notification.App.Main(System.String[])
System errors:
=============
Error: (02/08/2015 11:09:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/08/2015 11:09:32 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 11:07:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/08/2015 11:07:32 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 11:05:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/08/2015 11:05:32 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 11:03:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/08/2015 11:03:32 PM) (Source: DCOM) (EventID: 10010) (User: WOHNZIMMER-PC)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/08/2015 11:01:32 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/08/2015 11:01:32 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Microsoft Office Sessions:
=========================
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
Error: (02/08/2015 10:57:07 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.Manifest4
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
Error: (02/08/2015 10:02:22 PM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.Manifest4
Error: (02/08/2015 09:37:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ePowerTray.exe7.0.3013.05142c4eaePowerTray.exe7.0.3013.05142c4eac0000005000000000000792cedc01d043da6ee92452C:\Program Files\Acer\Acer Power Management\ePowerTray.exeC:\Program Files\Acer\Acer Power Management\ePowerTray.exe508f9c29-afd2-11e4-be88-2cd05af9bb94
Error: (02/08/2015 09:15:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ePowerSvc.exe7.0.3013.05142c4d9ePowerSvc.exe7.0.3013.05142c4d9c0000005000000000000aa80ef001d043da6feaa569C:\Program Files\Acer\Acer Power Management\ePowerSvc.exeC:\Program Files\Acer\Acer Power Management\ePowerSvc.exe3d959da6-afcf-11e4-be88-2cd05af9bb94
Error: (02/08/2015 09:14:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Notification.exe6.0.3007.050ffcf8dKERNELBASE.dll6.3.9600.1727853eebf2ee0434352000000000000606cbd401d043dbc2a2167fC:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exeC:\WINDOWS\system32\KERNELBASE.dll24af2df1-afcf-11e4-be88-2cd05af9bb94
Error: (02/08/2015 09:14:54 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: Notification.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.COMException
Stapel:
bei System.Management.ManagementScope.Initialize()
bei System.Management.ManagementObjectSearcher.Initialize()
bei System.Management.ManagementObjectSearcher.Get()
bei Notification.eRyBaseFunction.CheckPQServiceartition()
bei Notification.App.Main(System.String[])
CodeIntegrity Errors:
===================================
Date: 2015-02-08 21:39:43.635
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 21:05:26.823
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 20:59:06.070
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 20:08:50.405
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 20:04:01.025
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 19:46:14.731
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 19:40:21.723
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 16:42:16.986
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 14:18:02.133
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 11:49:47.997
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 20%
Total physical RAM: 8010.27 MB
Available physical RAM: 6361.9 MB
Total Pagefile: 16202.27 MB
Available Pagefile: 14046.65 MB
Total Virtual: 131072 MB
Available Virtual: 131071.85 MB
==================== Drives ================================
Drive c: (Acer) (Fixed) (Total:913.26 GB) (Free:869.14 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: D0200254)
Partition: GPT Partition Type.
==================== End Of Log ============================
|
|
09.02.2015, 17:34
| #14 |
| /// the machine /// TB-Ausbilder | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviertESET Online Scanner
Downloade Dir bitte  SecurityCheck und:
und ein frisches FRST log bitte. Noch Probleme?
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
|
10.02.2015, 22:01
| #15 |
| | Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert ESET-Log: Code:
ATTFilter ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=572cb706fb6825428808c10d8ed82a92
# engine=22389
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-02-10 01:30:51
# local_time=2015-02-10 02:30:51 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.2.9200 NT
# compatibility_mode_1='COMODO Antivirus'
# compatibility_mode=3081 16777213 87 100 4612038 57487891 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 6182971 48413144 0 0
# scanned=155952
# found=0
# cleaned=0
# scan_time=3713
Code:
ATTFilter Results of screen317's Security Check version 0.99.96
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox (35.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
Die "7FA63BA57.cpp" taucht immer noch im Autostart auf. Das war die Datei, die ich deaktiviert habe, damit die "BKA"-Seite nicht binnen weniger Sekunden aufspringt. Was mach ich mit der? Hatte beim Suchlauf früher auch noch eine *.zot davon im System gefunden, im Moment findet er davon aber nix mehr auf dem Rechner. Soll ich den Eintrag einfach "von Hand" löschen? Oder reiß ich dabei dann irgendwelche Verknüpfungen in die Registry oder so ab? Die Verknüpfung weist nach hier hin: %systemroot%\\system32\\rundll32.exe C:\PROGRA~3\7FA63AB57.cpp,work Zweites Problem: Die DOS-Programme scheinen auf dem Rechner nicht zu laufen. Auch der SecurityCheck mutete an, als wäre er im "Preparing" steckengeblieben. Habe erst nach über 1 h die Ausgabe erhalten. Ist das normal? Wie lange dauert im Schnitt ein FRST-Scan? Den JRT hab ich die ganze Nacht laufen lassen, hat auch nix gebracht. Habe keine "jrt.txt" auf dem Rechner finden können. Problem 3: Just gerade aufgetreten (evtl. im Zusammenhang mit dem SecurityCheck): Hab einen "AutoIt Error" im PopUpFenster bekommen, der besagt: (X) Line-1: Error: Variable must be of type "Object". [OK] Hm, nach [OK] drücken war der SecurityCheck plötzlich "Preparing Done!" Entschuldige, dass wieder so viel zusammengekommen ist. Ich bewundere Euch für Eure Ausdauer, das alles hier völlig fremden Menschen immer wieder zu erklären. Respekt! Und gleichzeitig noch einmal "Danke!", weil man es gar nicht oft genug sagen kann. So, jetzt noch "schnell" den FRST-Log: FRST Logfile: Code:
ATTFilter Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-02-2015
Ran by ***** (administrator) on WOHNZIMMER-PC on 10-02-2015 10:23:45
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Loaded Profiles: UpdatusUser & ***** (Available profiles: UpdatusUser & *****)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
Failed to access process -> csrss.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Dritek System INC.) C:\Windows\RfBtnSvc64.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMutilps32.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Atheros Communications) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(CyberLink) C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
() C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\ComUpdatus.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Users\*****\Desktop\BKA-Virus Jan. 2015\SecurityCheck.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdupd.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2874256 2012-12-07] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13267016 2013-01-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1276488 2013-01-18] (Realtek Semiconductor)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [LManager] => [X]
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-15] (Symantec Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-01-28] ( (Atheros Communications))
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2013-08-22] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [168616 2013-09-05] (NVIDIA Corporation)
Startup: C:\Users\*****\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75BA36AF7.lnk
ShortcutTarget: 75BA36AF7.lnk -> C:\PROGRA~3\7FA63AB57.cpp (No File)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://de.yahoo.com/?fr=fp-comodo
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1264040666-3370852229-1384236812-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A5991357-9741-4C3E-BB6C-B10DE74BD949}: [NameServer] 156.154.70.25,156.154.71.25
Tcpip\..\Interfaces\{CE2573B1-6E34-444D-B297-E4E20EB9EDD5}: [NameServer] 156.154.70.25,156.154.71.25
FireFox:
========
FF ProfilePath: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default
FF SelectedSearchEngine: Yahoo
FF Homepage: hxxp://de.yahoo.com?fr=fp-comodo
FF Keyword.URL: hxxp://de.search.yahoo.com/search?fr=ytff-comodo&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-images.xml
FF SearchPlugin: C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\searchplugins\google-maps.xml
FF Extension: Cliqz Beta - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\Extensions\cliqz@cliqz.com.xpi [2014-12-01]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\Firefox\Extensions: [cliqz@cliqz.com] - C:\Users\*****\AppData\Roaming\Mozilla\Firefox\Profiles\ca48qdon.default\extensions\cliqz@cliqz.com
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [Not Found]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227456 2013-01-28] (Qualcomm Atheros Commnucations)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Cloud\CCDMonitorService.exe [2615368 2013-02-19] (Acer Incorporated)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [7618952 2014-12-13] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2265304 2014-12-13] (COMODO)
S3 DeviceFastLaneService; C:\Program Files\Acer\Acer Device Fast-lane\DeviceFastLaneSvc.exe [469648 2012-11-16] (Acer Incorporated)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [662088 2013-03-15] (Acer Incorporated)
R2 FoxitCloudUpdateService; C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [242912 2014-11-29] (Foxit Software Inc.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
R2 RfButtonDriverService; C:\Windows\RfBtnSvc64.exe [93296 2013-07-08] (Dritek System INC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-11-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-11-30] (Microsoft Corporation)
S2 Winmgmt; C:\PROGRA~3\75BA36AF7.zot [X]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-01-28] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-09-24] (Microsoft Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-26] (Symantec Corporation)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20184 2014-12-09] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [807568 2014-12-09] (COMODO)
R1 cmdhlp; C:\Windows\system32\DRIVERS\cmdhlp.sys [35080 2014-12-09] (COMODO)
R1 inspect; C:\Windows\system32\DRIVERS\inspect.sys [126208 2014-12-09] (COMODO)
R3 Ps2Kb2Hid; C:\Windows\System32\drivers\aPs2Kb2Hid.sys [26736 2013-07-08] (Dritek System Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-11-30] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-10 10:22 - 2015-02-10 10:23 - 00003173 _____ () C:\Users\*****\Desktop\Neues Textdokument.txt
2015-02-08 19:46 - 2015-02-08 21:02 - 00000000 ____D () C:\AdwCleaner
2015-02-08 19:41 - 2015-02-08 20:12 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-08 19:41 - 2015-02-08 19:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-08 19:41 - 2015-02-08 19:41 - 00000000 ____D () C:\Program Files (x86)\ Malwarebytes Anti-Malware
2015-02-08 19:41 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-08 19:41 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-08 19:41 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-08 13:01 - 2015-02-08 13:01 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-02-08 02:13 - 2015-02-08 02:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-02-08 02:13 - 2015-02-08 02:13 - 00000000 ____D () C:\Program Files\7-Zip
2015-02-08 00:42 - 2015-02-10 10:23 - 00000000 ____D () C:\FRST
2015-02-08 00:39 - 2015-02-08 00:39 - 00000000 _____ () C:\Users\*****\defogger_reenable
2015-02-08 00:33 - 2015-02-10 10:23 - 00000000 ____D () C:\Users\*****\Desktop\BKA-Virus Jan. 2015
2015-02-07 21:20 - 2015-02-07 21:21 - 00000000 ____D () C:\Users\*****\Doctor Web
2015-01-30 22:12 - 2015-01-30 22:12 - 542121823 _____ () C:\WINDOWS\MEMORY.DMP
2015-01-30 22:12 - 2015-01-30 22:12 - 00787856 _____ () C:\WINDOWS\Minidump\013015-22203-01.dmp
2015-01-30 22:12 - 2015-01-30 22:12 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-23 17:18 - 2015-01-23 17:18 - 00000424 _____ () C:\Users\*****\Desktop\Dieser PC - Verknüpfung.lnk
2015-01-18 16:27 - 2014-12-19 07:26 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-18 16:27 - 2014-12-12 03:04 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-18 16:27 - 2014-12-12 01:51 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-01-18 16:27 - 2014-12-09 02:50 - 00225280 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00535640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00531616 _____ (Microsoft Corporation) C:\WINDOWS\system32\ci.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00448792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00413248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00372408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00108944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
2015-01-18 16:27 - 2014-12-08 20:42 - 00038264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-08 20:42 - 00033584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
2015-01-18 16:27 - 2014-12-06 04:17 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncsi.dll
2015-01-18 16:27 - 2014-12-06 02:41 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-18 16:27 - 2014-12-06 02:35 - 00229888 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-01-18 16:27 - 2014-10-29 05:00 - 00465320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2015-01-18 16:27 - 2014-10-29 05:00 - 00139984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:52 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 04:52 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00413136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2015-01-18 16:27 - 2014-10-29 04:12 - 00136296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2015-01-18 16:27 - 2014-10-29 04:07 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2015-01-18 16:27 - 2014-10-29 04:07 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2015-01-18 16:27 - 2014-10-29 03:44 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:59 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werdiagcontroller.dll
2015-01-18 16:27 - 2014-10-29 02:24 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlaapi.dll
2015-01-18 16:27 - 2014-10-29 02:02 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-01-18 16:27 - 2014-10-29 02:01 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2015-02-10 10:20 - 2014-11-29 22:31 - 01474832 _____ () C:\WINDOWS\system32\Drivers\sfi.dat
2015-02-10 10:05 - 2014-11-30 14:06 - 01461037 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-10 10:02 - 2014-12-14 10:56 - 00000884 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-10 10:00 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-10 09:19 - 2014-11-30 14:56 - 00000000 ___DO () C:\Users\*****\OneDrive
2015-02-10 09:18 - 2014-11-30 14:13 - 00000000 ____D () C:\Users\*****
2015-02-10 09:10 - 2013-08-22 15:46 - 00327862 _____ () C:\WINDOWS\setupact.log
2015-02-10 09:10 - 2013-08-22 15:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-08 21:03 - 2014-09-23 22:06 - 00155836 _____ () C:\WINDOWS\PFRO.log
2015-02-08 21:03 - 2014-05-18 22:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-02-08 21:03 - 2013-08-22 14:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-08 20:04 - 2013-08-22 16:36 - 00000000 ___RD () C:\WINDOWS\Offline Web Pages
2015-02-08 16:31 - 2012-07-26 08:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-08 12:39 - 2014-03-04 03:24 - 00003600 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1264040666-3370852229-1384236812-1002
2015-02-08 12:32 - 2013-08-22 16:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-07 21:02 - 2014-12-14 10:56 - 00003772 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-02-03 20:31 - 2014-12-13 09:46 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 20:31 - 2014-12-13 09:46 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-30 23:10 - 2014-03-04 03:16 - 00000000 ____D () C:\Users\*****\AppData\Roaming\Adobe
2015-01-26 15:22 - 2014-09-24 07:17 - 02121612 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-26 15:22 - 2014-09-24 06:43 - 01021576 _____ () C:\WINDOWS\system32\perfh007.dat
2015-01-26 15:22 - 2014-09-24 06:43 - 00243696 _____ () C:\WINDOWS\system32\perfc007.dat
2015-01-26 08:33 - 2014-11-29 18:10 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-26 08:29 - 2014-11-29 18:10 - 113365784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-23 17:21 - 2014-07-26 18:53 - 00000000 ____D () C:\Users\*****\AppData\Local\clear.fi
==================== Files in the root of some directories =======
2013-07-08 15:44 - 2013-07-08 15:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Some content of TEMP:
====================
C:\Users\*****\AppData\Local\Temp\Quarantine.exe
C:\Users\*****\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2015-02-10 10:35
==================== End Of Log ============================
und der Addition-Log: Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-02-2015
Ran by ***** at 2015-02-10 10:24:43
Running from C:\Users\*****\Desktop\BKA-Virus Jan. 2015
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
clear.fi SDK - Video 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
clear.fi SDK- Movie 2 (x32 Version: 2.1.2606 - CyberLink Corp.) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acer Device Fast-lane (HKLM\...\{3F62D2FD-13C1-49A2-8B5D-47623D9460D7}) (Version: 1.00.3011 - Acer Incorporated)
Acer Instant Update Service (HKLM\...\{81C6F800-A69B-4E70-9DC0-74732F8B00E7}) (Version: 1.00.3015 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3013 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
AcerCloud Docs (HKLM-x32\...\{CA4FE8B0-298C-4E5D-A486-F33B126D6A0A}) (Version: 1.01.2008 - Acer Incorporated)
AcerCloud Portal (HKLM-x32\...\{A5AD0B17-F34D-49BE-A157-C8B3D52ACD13}) (Version: 2.02.2021 - Acer Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
clear.fi Media (HKLM-x32\...\{E9AF1707-3F3A-49E2-8345-4F2D629D0876}) (Version: 2.02.2012 - Acer Incorporated)
clear.fi Photo (HKLM-x32\...\{B5AD89F2-03D3-4206-8487-018298007DD0}) (Version: 2.02.2016 - Acer Incorporated)
Cliqz (HKLM-x32\...\{5A0C0737-6AFE-4DC6-A8B4-6DFE509ACD75}_is1) (Version: 0.5.31 - Cliqz.com)
COMODO Internet Security Premium (HKLM\...\{7B1A9CD1-B552-4FA7-BBC1-EDDEAB8855A7}) (Version: 8.0.0.4337 - COMODO Security Solutions Inc.)
CyberLink MediaEspresso 6.5 (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.3729_45993 - CyberLink Corp.)
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
eBay Worldwide (HKLM-x32\...\{91589413-6675-4C27-8AFC-EFB9103B90A5}) (Version: 2.4.0105 - OEM)
ETDWare PS/2-X64 11.6.17.002_WHQL (HKLM\...\Elantech) (Version: 11.6.17.002 - ELAN Microelectronic Corp.)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 2.1.32.905 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.0.3.916 - Foxit Software Inc.)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.4.1001 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Launch Manager (HKLM-x32\...\LManager) (Version: 7.0.10 - Acer Inc.)
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
Malwarebytes Anti-Malware Version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 35.0.1 (x86 de)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nero BackItUp 12 Essentials OEM.a01 (HKLM-x32\...\{4CA8F973-6377-4ABF-9ED5-CC2323B3C000}) (Version: 12.5.00500 - Nero AG)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
NVIDIA Grafiktreiber 311.30 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.30 - NVIDIA Corporation)
NVIDIA PhysX-Systemsoftware 9.12.1031 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Office Addin (HKLM-x32\...\{6D2BBE1D-E600-4695-BA37-0B0E605542CC}) (Version: 2.02.2008 - Acer)
Office Addin 2003 (HKLM-x32\...\{1FCC073B-CC01-4443-AD20-E559F66E6E83}) (Version: 2.02.2008 - Acer)
OpenOffice 4.1.1 (HKLM-x32\...\{ACD0FFF9-6B35-43C1-82DB-9FF6990E8602}) (Version: 4.11.9775 - Apache Software Foundation)
paint.net (HKLM\...\{F509C1F4-0029-49F9-B145-A4C4E8DF481A}) (Version: 4.0.3 - dotPDN LLC)
Prerequisite installer (x32 Version: 12.0.0003 - Nero AG) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.220 - Qualcomm Atheros Communications)
Qualcomm Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.7 - Qualcomm Atheros Communications Inc.)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.41 - Qualcomm Atheros)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6833 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.28124 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Spotify (HKLM-x32\...\Spotify) (Version: 0.8.4.99.ga249b5f1 - Spotify AB)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-1264040666-3370852229-1384236812-1002_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
==================== Restore Points =========================
Could not list restore points.
Check "winmgmt" service or repair WMI.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 14:25 - 2013-08-22 14:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {34B5F279-7DA5-4330-87BD-89D99E9ECCBA} - System32\Tasks\iuBrowserIEAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe [2013-02-08] ()
Task: {35AB068A-60B1-4F7F-848C-7E37C6E048BD} - System32\Tasks\DeviceDetector => C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe [2013-02-08] (CyberLink)
Task: {52C554B3-246C-46D3-B6AD-7FA1E64E0629} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {64421EE9-B0FD-4208-B753-8858889B1BFA} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-01-26] (Microsoft Corporation)
Task: {6E403754-8FE2-467A-BEA5-B027DE37D598} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-07] (Adobe Systems Incorporated)
Task: {7B908A10-3C74-4CD2-86BE-C7F7C5AD3155} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-27] (Adobe Systems Incorporated)
Task: {998BB934-9149-41A3-98F8-0A0C390F9458} - System32\Tasks\Power Management => C:\Program Files\Acer\Acer Power Management\ePowerTray.exe [2013-03-15] (Acer Incorporated)
Task: {CD32ACF4-E397-40C2-86C6-CB2B91014807} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {D94CFF4C-A713-4825-9F9E-09DA961ED5B8} - System32\Tasks\ALU => C:\Program Files (x86)\Acer\Live Updater\updater.exe [2013-03-13] ()
Task: {D9B313DA-8103-4F47-A417-147527C4920C} - System32\Tasks\iuEmailOutlookAgent => C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe [2013-02-08] ()
Task: {DB98D47B-A1AE-4C5B-8F2B-E318A3334ECD} - System32\Tasks\{31DDBD37-5DB7-4030-8064-10B0CAA806C3} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {DC757743-9568-45D6-9C81-B6F9114E4156} - System32\Tasks\Recovery Management\Notification => C:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exe [2013-01-23] (Acer Incorporated)
Task: {DFD3FD88-BD72-4726-958E-DCE6DDD552D4} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [2014-12-13] (COMODO)
Task: {F445B4EE-FF5C-412F-B093-3A387E8AF118} - System32\Tasks\ALUAgent => C:\Program Files (x86)\Acer\Live Updater\liveupdater_agent.exe [2013-01-22] ()
Task: {F451AF5B-5FE4-4CA1-AC2C-5B8B0B9608C4} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: {FCA61716-C2ED-4049-86A2-E1F180474BEE} - System32\Tasks\Dolby Selector => C:\Dolby PCEE4\pcee4.exe [2012-08-31] (Dolby Laboratories Inc.)
Task: {FE3D98E8-E388-45D4-9B38-A44BD6C31DF5} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe [2014-12-13] (COMODO)
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) ==============
2013-09-05 02:36 - 2013-09-05 02:36 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2013-07-08 16:06 - 2013-02-20 21:58 - 00111176 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext_x64.dll
2013-01-28 13:45 - 2013-01-28 13:45 - 00011264 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-01-28 13:42 - 2013-01-28 13:42 - 00084992 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\Modules\Map\MAP.dll
2013-01-28 13:47 - 2013-01-28 13:47 - 00012928 _____ () C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00025672 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuEmailOutlookAgent.exe
2013-02-08 22:24 - 2013-02-08 22:24 - 00044616 _____ () C:\Program Files\Acer\Acer Instant Service\InstantUpdate\iuBrowserIEAgent.exe
2015-02-10 00:06 - 2015-02-10 00:08 - 00852594 _____ () C:\Users\*****\Desktop\BKA-Virus Jan. 2015\SecurityCheck.exe
2013-04-15 17:39 - 2013-04-15 17:39 - 00073424 _____ () C:\Program Files\COMODO\COMODO Internet Security\scanners\smart.cav
2013-07-08 15:35 - 2012-06-25 03:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-02-08 13:01 - 2015-02-08 13:01 - 03925104 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2013-07-08 16:06 - 2013-02-20 21:58 - 00089672 _____ () C:\Program Files (x86)\Acer\clear.fi plug-in\Clearfishellext.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
AlternateDataStreams: C:\WINDOWS\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\adhsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bdesvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\BFE.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\bisrv.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\fveapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\hal.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\httpprxm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ie4uinit.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\IKEEXT.DLL:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\iphlpsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\lockscreencn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MDMAgent.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MRT.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\pcsvDevice.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\ProximityService.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\reseteng.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\schedsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SET745D.tmp:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDrive.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SkyDriveTelemetry.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SyncEngine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\SystemEventsBrokerServer.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\uDWM.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\vpnike.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcMon.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WpcWebSync.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFHost.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFPlatform.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\WUDFSvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\crypt32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d8thk.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\d3d9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DaOtpCredentialProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\DeviceSetupStatusProvider.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcore6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhcpcsvc6.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dhRichClient3.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\dxtrans.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\explorer.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedyn.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\framedynos.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieapfltr.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iedkcs32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ieframe.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iepeers.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\iertutil.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcomm.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\inetcpl.cpl:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\jscript9.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\KernelBase.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MrmCoreR.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msfeeds.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtml.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\MshtmlDac.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mshtmled.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\mstscax.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ncobjapi.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\ntdll.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\PrintConfig.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\propsys.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Robocopy.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SearchFolder.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\SkyDriveShell.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\sqlite36_engine.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\TsWpfWrp.exe:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\urlmon.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\UXInit.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\vbscript.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\webcheck.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.TestingFramework.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Windows.UI.Search.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WindowsCodecs.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\wininet.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wldap32.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\Wpc.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\SysWOW64\WSShared.dll:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\agilevpn.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\mrxsmb.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\msgpioclx.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwififlt.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\vwifimp.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFPf.sys:$CmdTcID
AlternateDataStreams: C:\WINDOWS\system32\Drivers\WUDFRd.sys:$CmdTcID
AlternateDataStreams: C:\Users\*****\OneDrive:ms-properties
AlternateDataStreams: C:\Users\*****\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\Apache_OpenOffice_4.1.1_Win_x86_install_de.exe:$CmdZnID
AlternateDataStreams: C:\Users\*****\Downloads\document.pdf:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\document.pdf:$CmdZnID
AlternateDataStreams: C:\Users\*****\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdTcID
AlternateDataStreams: C:\Users\*****\Downloads\Finanzreport_Nr.10_vom_04.11.2014665154.pdf:$CmdZnID
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) ===============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== Other Registry Areas =====================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1001\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\*****\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1264040666-3370852229-1384236812-1002\...\StartupApproved\StartupFolder: => "75BA36AF7.lnk"
==================== Accounts: =============================
Administrator (S-1-5-21-1264040666-3370852229-1384236812-500 - Administrator - Disabled)
***** (S-1-5-21-1264040666-3370852229-1384236812-1002 - Administrator - Enabled) => C:\Users\*****
Gast (S-1-5-21-1264040666-3370852229-1384236812-501 - Limited - Disabled)
UpdatusUser (S-1-5-21-1264040666-3370852229-1384236812-1001 - Limited - Enabled) => C:\Users\UpdatusUser
==================== Faulty Device Manager Devices =============
Could not list Devices. Check "winmgmt" service or repair WMI.
==================== Event log errors: =========================
Application errors:
==================
Error: (02/10/2015 09:48:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ePowerTray.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4ea
Name des fehlerhaften Moduls: ePowerTray.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4ea
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000000792c
ID des fehlerhaften Prozesses: 0xfd8
Startzeit der fehlerhaften Anwendung: 0xePowerTray.exe0
Pfad der fehlerhaften Anwendung: ePowerTray.exe1
Pfad des fehlerhaften Moduls: ePowerTray.exe2
Berichtskennung: ePowerTray.exe3
Vollständiger Name des fehlerhaften Pakets: ePowerTray.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: ePowerTray.exe5
Error: (02/10/2015 09:30:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: ePowerSvc.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4d9
Name des fehlerhaften Moduls: ePowerSvc.exe, Version: 7.0.3013.0, Zeitstempel: 0x5142c4d9
Ausnahmecode: 0xc0000005
Fehleroffset: 0x000000000000aa80
ID des fehlerhaften Prozesses: 0xe98
Startzeit der fehlerhaften Anwendung: 0xePowerSvc.exe0
Pfad der fehlerhaften Anwendung: ePowerSvc.exe1
Pfad des fehlerhaften Moduls: ePowerSvc.exe2
Berichtskennung: ePowerSvc.exe3
Vollständiger Name des fehlerhaften Pakets: ePowerSvc.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: ePowerSvc.exe5
Error: (02/10/2015 09:29:24 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Name der fehlerhaften Anwendung: Notification.exe, Version: 6.0.3007.0, Zeitstempel: 0x50ffcf8d
Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 6.3.9600.17278, Zeitstempel: 0x53eebf2e
Ausnahmecode: 0xe0434352
Fehleroffset: 0x000000000000606c
ID des fehlerhaften Prozesses: 0x16f4
Startzeit der fehlerhaften Anwendung: 0xNotification.exe0
Pfad der fehlerhaften Anwendung: Notification.exe1
Pfad des fehlerhaften Moduls: Notification.exe2
Berichtskennung: Notification.exe3
Vollständiger Name des fehlerhaften Pakets: Notification.exe4
Anwendungs-ID, die relativ zum fehlerhaften Paket ist: Notification.exe5
Error: (02/10/2015 09:29:24 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: Notification.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.COMException
Stapel:
bei System.Management.ManagementScope.Initialize()
bei System.Management.ManagementObjectSearcher.Initialize()
bei System.Management.ManagementObjectSearcher.Get()
bei Notification.eRyBaseFunction.CheckPQServiceartition()
bei Notification.App.Main(System.String[])
Error: (02/10/2015 09:20:24 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest2" in Zeile C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.
Komponente 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Error: (02/10/2015 09:18:59 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest2" in Zeile C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.
Komponente 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "asmv2:clrClassInvocation1". Fehler in Manifest- oder Richtliniendatei "asmv2:clrClassInvocation2" in Zeile asmv2:clrClassInvocation3.
Das asmv2:clrClassInvocation-Element wird als untergeordnetes Element des urn:schemas-microsoft-com:asm.v1^entryPoint-Elements angezeigt, das von dieser Windows-Version nicht unterstützt wird.
Error: (02/10/2015 01:05:37 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Fehler beim Generieren des Aktivierungskontexts für "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest1". Fehler in Manifest- oder Richtliniendatei "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest2" in Zeile C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest3.
Eine für die Anwendung erforderliche Komponentenversion steht in Konflikt mit einer anderen, bereits aktiven Komponentenversion.
In Konflikt stehende Komponenten:.
Komponente 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.
Komponente 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
System errors:
=============
Error: (02/10/2015 09:56:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/10/2015 09:56:03 PM) (Source: DCOM) (EventID: 10010) (User: WOHNZIMMER-PC)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/10/2015 09:54:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/10/2015 09:54:03 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/10/2015 09:52:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/10/2015 09:52:03 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/10/2015 09:50:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/10/2015 09:50:03 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Error: (02/10/2015 09:48:03 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Der Dienst "Windows-Verwaltungsinstrumentation" wurde mit folgendem Fehler beendet:
%%126
Error: (02/10/2015 09:48:03 PM) (Source: DCOM) (EventID: 10010) (User: NT-AUTORITÄT)
Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
Microsoft Office Sessions:
=========================
Error: (02/10/2015 09:48:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: ePowerTray.exe7.0.3013.05142c4eaePowerTray.exe7.0.3013.05142c4eac0000005000000000000792cfd801d0450a3554764dC:\Program Files\Acer\Acer Power Management\ePowerTray.exeC:\Program Files\Acer\Acer Power Management\ePowerTray.exe97f6e72c-b101-11e4-be89-2cd05af9bb94
Error: (02/10/2015 09:30:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: ePowerSvc.exe7.0.3013.05142c4d9ePowerSvc.exe7.0.3013.05142c4d9c0000005000000000000aa80e9801d0450a35af10b5C:\Program Files\Acer\Acer Power Management\ePowerSvc.exeC:\Program Files\Acer\Acer Power Management\ePowerSvc.exe1413ad00-b0ff-11e4-be89-2cd05af9bb94
Error: (02/10/2015 09:29:24 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Notification.exe6.0.3007.050ffcf8dKERNELBASE.dll6.3.9600.1727853eebf2ee0434352000000000000606c16f401d0450b8914ad1eC:\Program Files\Acer\Acer Recovery Management\Notification\Notification.exeC:\WINDOWS\system32\KERNELBASE.dlleb0f3849-b0fe-11e4-be89-2cd05af9bb94
Error: (02/10/2015 09:29:24 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Anwendung: Notification.exe
Frameworkversion: v4.0.30319
Beschreibung: Der Prozess wurde aufgrund einer unbehandelten Ausnahme beendet.
Ausnahmeinformationen: System.Runtime.InteropServices.COMException
Stapel:
bei System.Management.ManagementScope.Initialize()
bei System.Management.ManagementObjectSearcher.Initialize()
bei System.Management.ManagementObjectSearcher.Get()
bei Notification.eRyBaseFunction.CheckPQServiceartition()
bei Notification.App.Main(System.String[])
Error: (02/10/2015 09:20:24 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe
Error: (02/10/2015 09:18:59 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\Users\*****\Desktop\BKA-Virus Jan. 2015\esetsmartinstaller_deu.exe
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\PowerPointAddIn2003.dll.Manifest4
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\WordAddIn2003.dll.Manifest4
Error: (02/10/2015 01:05:38 AM) (Source: SideBySide) (EventID: 72) (User: )
Description: asmv2:clrClassInvocationurn:schemas-microsoft-com:asm.v1^entryPointC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.ManifestC:\Program Files (x86)\Acer\Office Addin 2003\ExcelAddIn2003.dll.Manifest4
Error: (02/10/2015 01:05:37 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\Program Files (x86)\ESET\ESET Online Scanner\ESETSmartInstaller.exe
CodeIntegrity Errors:
===================================
Date: 2015-02-10 21:37:34.696
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-10 10:29:56.598
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-10 10:23:30.727
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-10 09:59:06.385
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-10 09:40:34.041
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-10 09:19:02.182
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-09 23:38:35.257
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-09 23:11:16.588
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-09 08:17:08.643
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
Date: 2015-02-08 23:50:03.570
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\guard64.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 24%
Total physical RAM: 8010.27 MB
Available physical RAM: 6057.64 MB
Total Pagefile: 16202.27 MB
Available Pagefile: 13592.46 MB
Total Virtual: 131072 MB
Available Virtual: 131071.85 MB
==================== Drives ================================
Drive c: (Acer) (Fixed) (Total:913.26 GB) (Free:869.71 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: D0200254)
Partition: GPT Partition Type.
==================== End Of Log ============================
|
|
| Themen zu Windows 8.1, "BKA/Interpol-Virus", Rechner läuft, Prozess im TM deaktiviert |
| bildschirm, bka-virus, browser, defender, desktop, explorer, firefox, flash player, homepage, hängen, interpol-virus, launch, mozilla, problem, prozess, realtek, registry, scan, security, siteadvisor, software, starten, svchost.exe, symantec, system, taskmanager, windows, winlogon.exe |
Linear-Darstellung
