Trojaner-Board
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   DownloadProtect Extension Version 1.0.0.1 lasst sich nicht vom MS Internet Explorer entfernen (https://www.trojaner-board.de/168922-downloadprotect-extension-version-1-0-0-1-lasst-ms-internet-explorer-entfernen.html)

DWaKd 22.07.2015 22:28
DownloadProtect Extension Version 1.0.0.1 lasst sich nicht vom MS Internet Explorer entfernen
 
Liste der Anhänge anzeigen (Anzahl: 2)
Seit einigen Tage versuche ich DownloadProtect Extension vom MS Internet Explorer und Firefox zu entfernen. Malewarebyte, adwclean und Registry Cleanup hat nicht ausgereicht.

Die Infos habe ich gemäß eurer Anleitung erstellt. Ausnahme Bitdefender Internet Security 2015 habe ich nicht deaktivieren können. Hoffe, dass das für diesen Fall auch nicht notwendig ist.

Alles läuft unter Win8.1. Würde mich freuen, wenn mir jemand helfen kann.

Danke und Gruß
Detlev

schrauber 23.07.2015 05:26
Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
http://www.trojaner-board.de/picture...&pictureid=307

DWaKd 23.07.2015 09:04
FRST.txt - Addition.txt - result2.txt
 

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by Detlev (ATTENTION: The logged in user is not administrator) on OFFICE01 on 22-07-2015 22:23:43
Running from C:\Users\Detlev\Desktop
Loaded Profiles: Admin & Detlev (Available Profiles: Admin & Detlev & Administrator)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> vsserv.exe
Failed to access process -> dwm.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> DisplayLinkManager.exe
Failed to access process -> RtkAudioService64.exe
Failed to access process -> RAVBg64.exe
Failed to access process -> RAVBg64.exe
Failed to access process -> DisplayLinkUserAgent.exe
Failed to access process -> svchost.exe
Failed to access process -> wlanext.exe
Failed to access process -> conhost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> aavus.exe
Failed to access process -> armsvc.exe
Failed to access process -> AERTSr64.exe
Failed to access process -> SkypeC2CAutoUpdateSvc.exe
Failed to access process -> SkypeC2CPNRSvc.exe
Failed to access process -> svchost.exe
Failed to access process -> dasHost.exe
Failed to access process -> DnsBlockUpdateSvc.exe
Failed to access process -> E_WT50RP.EXE
Failed to access process -> EvtEng.exe
Failed to access process -> HeciServer.exe
Failed to access process -> irstrtsv.exe
Failed to access process -> iSCTAgent.exe
Failed to access process -> mbamscheduler.exe
Failed to access process -> mbamservice.exe
Failed to access process -> nsmservice.exe
Failed to access process -> RegSrvc.exe
Failed to access process -> svchost.exe
Failed to access process -> updatesrv.exe
Failed to access process -> WDDriveService.exe
Failed to access process -> ZeroConfigService.exe
Failed to access process -> WDBackupEngine.exe
Failed to access process -> unsecapp.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> svchost.exe
Failed to access process -> WUDFHost.exe
Failed to access process -> WUDFHost.exe
() C:\Windows\Temp\irstrtsv\scrncap.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
Failed to access process -> SearchIndexer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
Failed to access process -> BbDevMgr.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
Failed to access process -> netsetman.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
Failed to access process -> BTHSAmpPalService.exe
Failed to access process -> devmonsrv.exe
Failed to access process -> obexsrv.exe
Failed to access process -> BTHSSecurityMgr.exe
Failed to access process -> OTBSurvey.exe
Failed to access process -> DeliveryService.exe
Failed to access process -> DellUpService.exe
Failed to access process -> IAStorDataMgrSvc.exe
Failed to access process -> jhi_service.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
Failed to access process -> LMS.exe
Failed to access process -> SftService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe
(Neuber Software) C:\Program Files (x86)\Security Task Manager\TaskMan.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIH3E.EXE
Failed to access process -> svchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
Failed to access process -> taskeng.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-30] (Intel Corporation)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3058848 2012-07-24] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2780400 2014-05-06] (Synaptics Incorporated)
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe [1691112 2015-04-06] (Bitdefender)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4878752 2015-03-19] (Intel(R) Corporation)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498728 2015-06-29] (Adobe Systems Inc.)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [NetSetMan] => C:\Program Files (x86)\NetSetMan\netsetman.exe [6539944 2015-06-16] (Ilja Herlein)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694048 2014-05-23] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-05-20] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-05-01] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2086240 2015-04-28] (Wondershare)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM\...\RunOnce: [ASYNCMAC] => rundll32.exe streamci,StreamingDeviceSetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c},C:\WINDOWS\INF\netrasa.inf,Ndis-Mp-AsyncMac
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-06-18] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [790880 2015-02-25] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [790880 2015-02-25] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [EPLTarget\P0000000000000001] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
Startup: C:\Users\Detlev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk [2014-08-08]
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [S-1-5-21-1058572625-867591187-812149052-1002] => Internet Explorer proxy is enabled.
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.web.de/
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
URLSearchHook: [S-1-5-21-1058572625-867591187-812149052-1001] ATTENTION ==> Default URLSearchHook is missing
SearchScopes: HKLM -> {DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> DefaultScope {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin [2015-07-22] (Download Protect)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Wondershare Video Converter Ultimate 7.1.0 -> {451C804F-C205-4F03-B48E-537EC94937BF} -> C:\PROGRA~3\WONDER~1\VIDEOC~1\WSBROW~1.DLL No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin [2015-07-22] (Download Protect)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-02-25] (Bitdefender)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\pmbxie.dll [2015-02-25] (Bitdefender)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-02-25] (Bitdefender)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
Tcpip\..\Interfaces\{72C81EA3-A616-44BB-B316-EA42CE39A066}: [NameServer] 192.168.129.10
Tcpip\..\Interfaces\{F35878CF-4C09-486C-9E84-BB14D36C6750}: [DhcpNameServer] 13.36.0.102

FireFox:
========
FF ProfilePath: C:\Users\Detlev\AppData\Roaming\Mozilla\Firefox\Profiles\tge1794z.default
FF DefaultSearchUrl: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF SelectedSearchEngine: Google
FF SelectedSearchEngine: google
FF Homepage: hxxp://www.google.de?hl=de&gl=de
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=UTF-8&oe=UTF-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF NetworkProxy: "autoconfig_url", "web.de"
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF user.js: detected! => C:\Users\Detlev\AppData\Roaming\Mozilla\Firefox\Profiles\tge1794z.default\user.js [2015-07-22]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: Bitdefender Antispam Toolbar - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext [2015-01-01]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-08-05]
FF HKLM-x32\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff [2015-01-01]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF HKLM-x32\...\Firefox\Extensions: [{CB235133-5305-4E26-8727-256679D3FF57}] - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi [2015-07-20]
FF HKLM-x32\...\Firefox\Extensions: [{434BF744-47E1-45F7-B215-EAE9123E8522}] - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi [2015-07-22]
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-06-29]
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AAV UpdateService; C:\Programme (x86)\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender 2015\bdparentalservice.exe [78144 2015-01-21] (Bitdefender)
R3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\OTBSurvey.exe [145288 2015-04-09] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [10813232 2014-09-08] (DisplayLink Corp.)
R2 DnsBlockUpdateSvc; C:\WINDOWS\system32\DnsBlockUpdateSvc.exe [149024 2015-06-21] ()
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-30] (Intel Corporation)
S2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [131312 2015-03-19] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 irstrtsv; C:\Windows\SysWOW64\irstrtsv.exe [783264 2013-09-09] (Intel Corporation)
R2 ISCTAgent; c:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [198120 2013-08-01] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S2 lmhosts; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
S2 lmhosts; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-03-19] ()
R2 NlaSvc; C:\Windows\System32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 nsmService; C:\Program Files (x86)\NetSetMan\nsmservice.exe [1278632 2015-02-06] (Ilja Herlein)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-12-11] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [1915920 2013-11-22] (SoftThinks SAS)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe [67320 2015-01-01] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [1547936 2015-04-06] (Bitdefender)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2015-05-01] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-05-20] (Western Digital Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3820960 2015-03-19] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-02-25] (BitDefender)
R3 avchv; C:\Windows\system32\DRIVERS\avchv.sys [262544 2015-02-25] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-02-25] (BitDefender)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 BdfNdisf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf6.sys [98768 2015-02-25] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107008 2013-07-29] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [121928 2013-07-02] (Bitdefender SRL)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
S3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1448248 2014-11-26] (Motorola Solutions, Inc.)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
R3 DisplayLinkUsbIo_x64; C:\Windows\System32\drivers\DisplayLinkUsbIo_x64_7.6.54217.0.sys [46384 2014-09-22] ()
R3 dlcdcncm; C:\Windows\system32\DRIVERS\dlcdcncm62_x64.sys [82224 2014-09-08] (DisplayLink Corp.)
R3 dlusbaudio; C:\Windows\system32\DRIVERS\dlusbaudio_x64.sys [206640 2014-09-08] (DisplayLink Corp.)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [160544 2015-04-06] (BitDefender LLC)
S3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-09] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-03] (Intel Corporation)
S3 iaLPSS_SPI; C:\Windows\System32\drivers\iaLPSS_SPI.sys [83960 2013-08-09] (Intel Corporation)
S3 iaLPSS_UART2; C:\Windows\System32\drivers\iaLPSS_UART2.sys [129528 2013-08-09] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [253680 2015-03-19] (Intel Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21408 2013-08-01] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21920 2013-08-01] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-09-09] (Intel Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-08-01] ()
S3 LAN7500; C:\Windows\system32\DRIVERS\lan7500-x64-n630f.sys [96256 2013-04-05] (SMSC)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3497240 2015-03-23] (Intel Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SensorsAlsDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-05-06] (Synaptics Incorporated)
U5 TMUSB; C:\Windows\System32\DRIVERS\TMUSB64.SYS [63096 2014-03-19] (Seiko Epson Corporation)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [452040 2015-01-01] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S3 btmaux; \SystemRoot\system32\DRIVERS\btmaux.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-22 22:23 - 2015-07-22 22:23 - 00032436 _____ C:\Users\Detlev\Desktop\FRST.txt
2015-07-22 22:23 - 2015-07-22 22:23 - 00000000 ____D C:\FRST
2015-07-22 22:21 - 2015-07-22 22:21 - 00000472 _____ C:\Users\Detlev\Desktop\defogger_disable.log
2015-07-22 22:21 - 2015-07-22 22:21 - 00000000 _____ C:\Users\Admin\defogger_reenable
2015-07-22 22:20 - 2015-07-22 22:08 - 00380416 _____ C:\Users\Detlev\Desktop\Gmer-19357.exe
2015-07-22 22:20 - 2015-07-22 22:07 - 02135552 _____ (Farbar) C:\Users\Detlev\Desktop\FRST64.exe
2015-07-22 22:20 - 2015-07-22 22:04 - 00050477 _____ C:\Users\Detlev\Desktop\Defogger.exe
2015-07-22 20:02 - 2015-07-22 20:02 - 00000000 ____D C:\ProgramData\SecTaskMan
2015-07-22 20:00 - 2015-07-22 20:00 - 00132632 _____ C:\Users\Detlev\AppData\Local\recently-used.xbel
2015-07-22 19:40 - 2015-07-22 19:40 - 00004124 _____ C:\Users\Detlev\Desktop\result2.txt
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}
2015-07-20 21:23 - 2015-07-20 21:29 - 63320784 _____ (Microsoft Corporation) C:\Users\Detlev\Downloads\IE11-Windows6.1-x64-de-de.exe
2015-07-20 21:23 - 2015-07-20 21:24 - 00000000 ___RD C:\Users\Detlev\Favorites - Kopie
2015-07-20 21:13 - 2015-07-20 21:13 - 00063173 _____ C:\Users\Detlev\Desktop\Firefox-bookmarks-2015-07-20.json
2015-07-20 20:58 - 2015-07-20 21:01 - 40945288 _____ C:\Users\Detlev\Downloads\firefox_setup_39.0.exe
2015-07-20 20:53 - 2015-07-14 16:14 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00301056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-07-20 20:53 - 2015-07-14 16:13 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-07-20 20:33 - 2015-07-22 19:11 - 00009297 _____ C:\Users\Detlev\Desktop\Ausgaben Urlaub.xlsx
2015-07-20 11:09 - 2015-07-20 11:10 - 00004385 _____ C:\Users\Detlev\Desktop\result.txt
2015-07-20 03:32 - 2015-07-20 22:09 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-20 03:32 - 2015-07-20 22:07 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 03:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-20 03:32 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-20 03:21 - 2015-07-20 03:25 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Detlev\Desktop\mbam-setup-2.1.6.1022.exe
2015-07-20 02:44 - 2015-07-20 02:44 - 00001784 _____ C:\Users\Detlev\Desktop\Fixlist.txt
2015-07-20 02:32 - 2015-07-20 02:32 - 00000586 _____ C:\Users\Admin\Documents\reg20150720.reg
2015-07-20 01:57 - 2015-07-20 01:57 - 01198368 _____ C:\Users\Detlev\Downloads\Malwarebytes Anti Malware Malware Scanner - CHIP-Installer.exe
2015-07-19 20:32 - 2015-07-19 20:32 - 00001172 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spy Protector.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001149 _____ C:\Users\Public\Desktop\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00000000 ____D C:\Program Files (x86)\Security Task Manager
2015-07-16 21:41 - 2015-07-16 21:41 - 00000000 ____D C:\Users\Detlev\AppData\Local\CEF
2015-07-16 12:45 - 2015-07-16 12:45 - 00000000 ____D C:\Users\Detlev\Downloads\DDA_v16
2015-07-16 12:44 - 2015-07-16 12:44 - 00504083 _____ C:\Users\Detlev\Downloads\DDA_v16.zip
2015-07-16 00:26 - 2015-07-16 00:27 - 41578048 _____ C:\Users\Detlev\Downloads\WEB.DE_Firefox_Setup(1).exe
2015-07-15 10:38 - 2015-06-28 07:07 - 00442712 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2015-07-15 10:38 - 2015-06-28 07:07 - 00178008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-07-15 10:38 - 2015-06-28 07:06 - 01311960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2015-07-15 10:38 - 2015-06-28 07:06 - 00332120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2015-07-15 10:38 - 2015-06-27 18:42 - 00747520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll
2015-07-15 10:38 - 2015-06-27 05:13 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00284672 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2015-07-15 10:38 - 2015-06-27 04:40 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-07-15 10:38 - 2015-06-27 04:05 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-07-15 10:38 - 2015-06-27 04:00 - 00989184 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2015-07-15 10:38 - 2015-06-27 03:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-07-15 10:38 - 2015-06-27 03:26 - 00802816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2015-07-15 10:38 - 2015-06-25 04:31 - 04177920 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-07-15 10:38 - 2015-06-16 00:41 - 00065024 _____ (Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
2015-07-15 10:38 - 2015-06-16 00:24 - 03320320 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2015-07-15 10:38 - 2015-06-15 23:16 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msiexec.exe
2015-07-15 10:38 - 2015-06-15 23:09 - 03607552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2015-07-15 10:38 - 2015-06-15 22:50 - 02774528 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-07-15 10:38 - 2015-06-15 21:57 - 02460160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-07-15 10:37 - 2015-06-16 00:39 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-07-15 10:37 - 2015-06-16 00:38 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-16 00:26 - 00633856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-07-15 10:37 - 2015-06-16 00:24 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-07-15 10:37 - 2015-06-16 00:02 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdc.ocx
2015-07-15 10:37 - 2015-06-15 23:58 - 00199680 _____ (Microsoft Corporation) C:\WINDOWS\system32\msrating.dll
2015-07-15 10:37 - 2015-06-15 23:57 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 23:56 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2015-07-15 10:37 - 2015-06-15 23:55 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 23:49 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 23:41 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-07-15 10:37 - 2015-06-15 23:38 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 23:36 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 23:17 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 23:16 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-07-15 10:37 - 2015-06-15 23:15 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-07-15 10:37 - 2015-06-15 23:13 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-15 23:04 - 00478208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-07-15 10:37 - 2015-06-15 23:03 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-07-15 10:37 - 2015-06-15 22:52 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-07-15 10:37 - 2015-06-15 22:47 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdc.ocx
2015-07-15 10:37 - 2015-06-15 22:44 - 00168960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msrating.dll
2015-07-15 10:37 - 2015-06-15 22:43 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 22:42 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-07-15 10:37 - 2015-06-15 22:41 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 22:37 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 22:32 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-07-15 10:37 - 2015-06-15 22:31 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 22:30 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 22:30 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-07-15 10:37 - 2015-06-15 22:17 - 01048576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 22:07 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-07-15 10:37 - 2015-06-15 22:02 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-07-15 10:37 - 2015-05-30 23:18 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-07-15 10:37 - 2015-05-30 21:36 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-07-15 10:37 - 2015-05-30 21:35 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-07-15 10:36 - 2015-07-02 23:21 - 19877376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:50 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:49 - 25193984 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:23 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:19 - 12855296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-07-15 10:36 - 2015-07-02 21:55 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-07-15 10:36 - 2015-07-02 21:20 - 14453248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-07-15 10:36 - 2015-07-02 20:59 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-07-15 10:36 - 2015-07-02 00:08 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-07-15 10:36 - 2015-07-01 23:14 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01661576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01212248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2015-07-15 10:36 - 2015-06-11 05:49 - 01380600 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-07-15 10:36 - 2015-06-10 18:13 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-07-14 23:25 - 2015-07-14 23:25 - 00000000 ____D C:\Users\Admin\AppData\Roaming\PDF Architect 3
2015-07-14 23:09 - 2015-07-14 23:10 - 00000000 ____D C:\Users\Detlev\AppData\Local\PDFCreator
2015-07-14 23:07 - 2015-07-14 23:07 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\PDF Architect 3
2015-07-14 23:06 - 2015-07-14 23:25 - 00000000 ____D C:\ProgramData\PDF Architect 3
2015-07-14 22:56 - 2015-07-14 22:58 - 28754952 _____ (pdfforge GmbH) C:\Users\Detlev\Downloads\PDFCreator-2_1_2-setup.exe
2015-07-14 14:06 - 2015-07-14 14:07 - 03966968 _____ (Ilja Herlein ) C:\Users\Detlev\Downloads\netsetman_setup_403.exe
2015-07-09 08:53 - 2015-07-09 08:53 - 00000000 ____D C:\Program Files (x86)\Dell Update
2015-07-01 10:03 - 2015-07-01 10:03 - 00000000 ____D C:\Users\Detlev\Documents\Steuerfälle
2015-06-28 20:29 - 2015-06-28 20:30 - 02861525 _____ C:\Users\Detlev\Downloads\picozip-recovery-tool_13451.exe
2015-06-25 22:43 - 2015-06-25 22:45 - 00000000 ____D C:\RecoveryTest
2015-06-24 01:29 - 2015-06-24 01:29 - 01217192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FM20.DLL
2015-06-24 00:34 - 2015-06-24 00:34 - 00000000 ____D C:\Program Files\Western Digital
2015-06-23 19:01 - 2015-06-23 19:01 - 01124072 _____ (Adobe Systems Incorporated) C:\Users\Detlev\Downloads\readerdc_de_ha_install.exe
2015-06-23 18:58 - 2015-07-16 21:38 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-06-23 18:58 - 2015-06-23 18:58 - 00002069 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-22 22:21 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Admin
2015-07-22 22:19 - 2014-08-22 13:32 - 00000884 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-07-22 22:00 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-22 20:53 - 2014-07-31 23:47 - 00000000 ____D C:\Users\Detlev\.gimp-2.8
2015-07-22 20:01 - 2013-12-13 21:17 - 02019531 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-22 19:57 - 2015-05-29 22:06 - 00019937 _____ C:\WINDOWS\setupact.log
2015-07-22 19:56 - 2014-09-14 03:13 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\vlc
2015-07-22 19:56 - 2014-01-04 02:00 - 00000000 ____D C:\Users\Detlev\AppData\Local\CrashDumps
2015-07-22 19:13 - 2013-12-13 21:19 - 01789004 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-22 19:13 - 2013-08-23 01:24 - 00770130 _____ C:\WINDOWS\system32\perfh007.dat
2015-07-22 19:13 - 2013-08-23 01:24 - 00160912 _____ C:\WINDOWS\system32\perfc007.dat
2015-07-22 19:08 - 2013-12-13 21:30 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-07-22 19:06 - 2015-05-29 09:49 - 00008192 _____ C:\WINDOWS\SysWOW64\WDPABKP.dat
2015-07-22 19:06 - 2013-08-22 16:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-22 18:32 - 2015-06-21 19:20 - 00000306 __RSH C:\ProgramData\ntuser.pol
2015-07-22 00:52 - 2014-08-06 14:25 - 00019433 _____ C:\Users\Detlev\AppData\Roaming\Rim.Desktop.Exception.log
2015-07-22 00:52 - 2014-08-06 14:25 - 00006083 _____ C:\Users\Detlev\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-07-21 22:20 - 2015-05-29 20:56 - 00000000 ____D C:\Users\Detlev\Documents\Privat
2015-07-21 20:07 - 2014-07-31 23:48 - 00000000 ____D C:\Users\Detlev\AppData\Local\gtk-2.0
2015-07-21 11:48 - 2013-12-27 13:02 - 00000000 ____D C:\Users\Detlev\Documents\Bank
2015-07-20 22:30 - 2015-05-29 22:06 - 00014624 _____ C:\WINDOWS\PFRO.log
2015-07-20 22:30 - 2013-08-22 16:44 - 00481592 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-20 22:28 - 2013-08-22 17:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-07-20 21:23 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Detlev
2015-07-20 02:02 - 2014-08-09 18:26 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-20 00:51 - 2015-06-21 18:04 - 00000000 ____D C:\Users\Detlev\AppData\Local\Windows Live
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-07-19 12:39 - 2015-02-23 22:14 - 00000000 ____D C:\ProgramData\Oracle
2015-07-19 12:38 - 2015-04-27 22:54 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2015-07-19 12:38 - 2015-02-23 22:14 - 00000000 ____D C:\Program Files (x86)\Java
2015-07-18 10:37 - 2013-12-27 13:12 - 00000000 ____D C:\Users\Detlev\Documents\Reise
2015-07-17 19:02 - 2014-08-05 13:33 - 00002523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Standard.lnk
2015-07-17 19:02 - 2014-08-05 13:33 - 00002071 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2015-07-16 13:03 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-16 11:16 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-07-15 15:29 - 2014-07-30 00:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-07-15 15:28 - 2014-07-30 01:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-07-14 23:08 - 2014-07-29 23:59 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSetMan
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\Program Files (x86)\NetSetMan
2015-07-14 11:42 - 2014-11-07 00:46 - 00000000 ____D C:\Users\Detlev\Documents\Elternbeirat
2015-07-13 23:10 - 2013-08-22 17:38 - 00792568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-07-13 23:10 - 2013-08-22 17:38 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-09 08:53 - 2013-12-13 21:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-07-03 08:43 - 2014-07-30 01:06 - 130333168 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-25 21:34 - 2014-07-30 06:21 - 00000000 ____D C:\Users\Detlev\AppData\Local\Adobe
2015-06-25 21:13 - 2014-08-31 23:34 - 00000000 ____D C:\Users\Admin\AppData\Local\Adobe
2015-06-24 00:34 - 2015-05-30 15:07 - 00000000 ____D C:\Program Files\Common Files\Western Digital
2015-06-24 00:34 - 2015-05-29 22:40 - 00024104 _____ C:\WINDOWS\DPINST.LOG
2015-06-24 00:34 - 2015-05-29 09:49 - 00000000 ____D C:\Program Files (x86)\Western Digital
2015-06-24 00:34 - 2015-05-29 09:48 - 00000000 ____D C:\ProgramData\Western Digital
2015-06-23 23:39 - 2014-07-29 23:20 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\Adobe
2015-06-23 18:58 - 2014-07-29 23:37 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-06-23 18:57 - 2014-07-29 23:37 - 00000000 ____D C:\ProgramData\Adobe
2015-06-22 08:32 - 2015-04-12 20:42 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-06-22 08:32 - 2014-11-20 11:10 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-06-22 08:32 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\WinStore

==================== Files in the root of some directories =======

2015-01-08 17:39 - 2015-01-08 17:39 - 0021886 _____ () C:\Users\Detlev\AppData\Roaming\Kommagetrennte Werte (DOS).ADR
2015-03-13 20:06 - 2015-03-13 20:06 - 0022446 _____ () C:\Users\Detlev\AppData\Roaming\Kommagetrennte Werte (Windows).ADR
2014-10-04 22:30 - 2014-10-04 22:30 - 0038446 _____ () C:\Users\Detlev\AppData\Roaming\Microsoft Excel 97-2003.ADR
2014-08-06 14:25 - 2015-07-22 00:52 - 0019433 _____ () C:\Users\Detlev\AppData\Roaming\Rim.Desktop.Exception.log
2014-08-06 14:25 - 2015-07-22 00:52 - 0006083 _____ () C:\Users\Detlev\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-01-08 17:45 - 2015-01-08 17:45 - 0022608 _____ () C:\Users\Detlev\AppData\Roaming\Tabulatorgetrennte Werte (DOS).ADR
2015-07-22 20:00 - 2015-07-22 20:00 - 0132632 _____ () C:\Users\Detlev\AppData\Local\recently-used.xbel
2014-05-12 11:33 - 2014-05-12 11:33 - 0000017 _____ () C:\Users\Detlev\AppData\Local\resmon.resmoncfg
2015-01-01 17:34 - 2015-01-01 17:34 - 2363650 _____ () C:\ProgramData\1420126384.bdinstall.bin
2013-12-13 21:12 - 2013-12-13 21:12 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Admin\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Admin\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Admin\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Detlev\AppData\Local\Temp\jre-8u51-windows-au.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================
--- --- ---

Addition.txt
=======

Additional
FRST Logfile:
Code:
scan result of Farbar Recovery Scan Tool (x64) Version:20-07-2015
Ran by Detlev at 2015-07-22 22:24:12
Running from C:\Users\Detlev\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-1058572625-867591187-812149052-1001 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-1058572625-867591187-812149052-500 - Administrator - Disabled) => C:\Users\Administrator
Detlev (S-1-5-21-1058572625-867591187-812149052-1002 - Limited - Enabled) => C:\Users\Detlev
Gast (S-1-5-21-1058572625-867591187-812149052-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Bitdefender Spyware-Schutz (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AAVUpdateManager (HKLM-x32\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
Adobe Acrobat Reader DC - Deutsch (HKLM-x32\...\{AC76BA86-7AD7-1031-7B44-AC0F074E4100}) (Version: 15.008.20082 - Adobe Systems Incorporated)
Adobe Acrobat XI Standard (HKLM-x32\...\{AC76BA86-1033-FFFF-BA7E-000000000006}) (Version: 11.0.12 - Adobe Systems)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Any Video Converter 5.8.1 (HKLM-x32\...\Any Video Converter) (Version: 5.8.1 - Anvsoft)
Bitdefender Internet Security 2015 (HKLM\...\Bitdefender) (Version: 18.11.0.872 - Bitdefender)
BlackBerry Desktop Software 7.1 (HKLM-x32\...\BlackBerry_Desktop) (Version: 7.1.0.41 - Research in Motion Ltd.)
BlackBerry Desktop Software 7.1 (x32 Version: 7.1.0.41 - Research in Motion Ltd.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.4 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.4 - Dell Inc.)
Dell Custom Help (Version: 16.05.1000.0264 - Intel Corporation) Hidden
Dell Customer Connect (HKLM-x32\...\{FEFDCDCF-C49C-45D0-AAF8-5345858ADEC7}) (Version: 1.2.1.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP)
Dell System Detect (HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\9204f5692a8faf3b) (Version: 5.10.0.8 - Dell)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 17.0.15.62 - Synaptics Incorporated)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
DisplayLink Core Software (HKLM\...\{A7CC7D80-3ECA-4206-AAE3-AD0E65D49B93}) (Version: 7.7.57576.0 - DisplayLink Corp.)
DisplayLink Graphics (HKLM\...\{4FF9F49F-B6DD-4439-A1F6-DDB715414199}) (Version: 7.7.57576.0 - DisplayLink Corp.)
Druckerdeinstallation für EPSON StandardBusinessPrinters (HKLM\...\EPSON StandardBusinessPrinters) (Version:  - SEIKO EPSON Corporation)
Druckerdeinstallation für EPSON WP-4535 Series (HKLM\...\EPSON WP-4535 Series) (Version:  - SEIKO EPSON Corporation)
DSC/AA Factory Installer (Version: 3.4.6299.48 - PC-Doctor, Inc.) Hidden
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.47.00 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
Fotogalerie (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
FreeMind (HKLM-x32\...\B991B020-2968-11D8-AF23-444553540000_is1) (Version: 1.0.1 - )
GIMP 2.8.10 (HKLM\...\GIMP-2_is1) (Version: 2.8.10 - The GIMP Team)
Intel Experience Center - Configuration (x32 Version: 1.7.0.179 - Intel) Hidden
Intel(R) Driver Update Utility 2.0 (x32 Version: 2.0.0.29 - Intel) Hidden
Intel(R) Experience Center Desktop Software (HKLM-x32\...\{3608ec0a-56b4-4d9d-b038-9b3e51d72582}) (Version: 1.7.0.179 - Intel)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3304 - Intel Corporation)
Intel(R) Rapid Start Technology (HKLM-x32\...\{3D073343-CEEB-4ce7-85AC-A69A7631B5D6}) (Version: 3.0.0.1056 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.2.1000 - Intel Corporation)
Intel(R) Smart Connect Technology (HKLM\...\{B1AC3709-3E98-4F2C-A84E-4BCA2A452E64}) (Version: 4.2.40.2418 - Intel Corporation)
Intel(R) Wireless Bluetooth(R) (HKLM-x32\...\{182D4D1C-F9C5-4758-9B8C-157655C9F29B}) (Version: 17.1.1512.0771 - Intel Corporation)
Intel(R) Wireless Bluetooth(R)(patch version 17.1.1449.356) (HKLM\...\{302600C1-6BDF-4FD1-1411-148929CC1385}) (Version: 17.1.1411.0506 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Intel® PROSet/Wireless Software (HKLM-x32\...\{6535d76a-59fb-4935-b2c5-cd61917c4a4b}) (Version: 17.16.0 - Intel Corporation)
Java 8 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Logitech Harmony Remote Software 7 (HKLM-x32\...\{5C6F884D-680C-448B-B4C9-22296EE1B206}) (Version: 7.7.0.0 - Logitech)
Malwarebytes Anti-Malware Version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Ultimate 2007 (HKLM-x32\...\ULTIMATER) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Project Standard 2010 (HKLM-x32\...\Office14.PRJSTD) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{402ED4A1-8F5B-387A-8688-997ABF58B8F2}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio 2010-Tools für Office-Laufzeit (x64) Language Pack - DEU (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Language Pack - DEU) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft-Maus- und Tastatur-Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
NetSetMan 4.0.3 (HKLM-x32\...\NetSetMan_is1) (Version: 4.0.3 - Ilja Herlein)
PDFill PDF Editor with FREE Writer and FREE Tools (HKLM\...\{D1399216-81B2-457C-A0F7-73B9A2EF6902}) (Version: 11.0 - PlotSoft LLC)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.2.04 - Dell Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7404 - Realtek Semiconductor Corp.)
Remote Control USB Driver (HKLM-x32\...\{8471021C-F529-43DE-84DF-3612E10F58C4}) (Version: 2.3.2.317 - )
Security Task Manager 2.1 (HKLM-x32\...\Security Task Manager) (Version: 2.1 - Neuber Software)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003A-0000-0000-0000000FF1CE}_Office14.PRJSTD_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
Similar Picture Find v1.2 (HKLM-x32\...\Similar Picture Find_is1) (Version:  - UNGSoft Developers Group)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.4.0.9058 - Microsoft Corporation)
Skype™ 7.6 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.6.103 - Skype Technologies S.A.)
Software Updater (HKLM-x32\...\{C09D747A-BD47-42A9-915E-CEB6B1BB7C11}) (Version: 4.2.7 - SEIKO EPSON CORPORATION)
SteuerSparErklärung 2015 (HKLM-x32\...\{312C0E08-8F94-4536-AAF6-3413F784AC5F}) (Version: 20.36.164 - Akademische Arbeitsgemeinschaft)
Total Commander 64-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 8.51a - Ghisler Software GmbH)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0407-0000-0000000FF1CE}_ULTIMATER_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0407-0000-0000000FF1CE}_ULTIMATER_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0407-0000-0000000FF1CE}_ULTIMATER_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0407-0000-0000000FF1CE}_ULTIMATER_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WD Drive Utilities (HKLM-x32\...\{c77bad57-f913-4ac3-9061-6dfd6c0aa40a}) (Version: 1.3.0.16 - Western Digital Technologies, Inc.)
WD Drive Utilities (x32 Version: 1.3.0.16 - Western Digital Technologies, Inc.) Hidden
WD Quick View (HKLM-x32\...\{6DC98797-B975-4902-8379-9D30A8694B1C}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
WD Security (HKLM-x32\...\{D338102B-BA1C-4CCA-B870-8690FA0F0433}) (Version: 1.1.0.51 - Western Digital Technologies, Inc.)
WD SmartWare (HKLM\...\{1F71ADEE-3133-47DC-8C54-7ADBCEB17F3B}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
WD SmartWare Installer (HKLM-x32\...\{f8b1c3bb-688a-4421-a45e-a22dd15f22ee}) (Version: 2.4.11.4 - Western Digital Technologies, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2015-04-02 10:15 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job =>

==================== Loaded Modules (Whitelisted) ==============

2013-12-13 21:31 - 2013-08-19 11:21 - 00020256 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIcon.dll
2013-12-13 21:31 - 2013-08-19 11:21 - 00019232 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayNotBackuped.dll
2013-12-13 21:31 - 2013-08-19 11:21 - 00035104 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRShellExtension.dll
2015-06-21 17:35 - 2015-02-27 14:38 - 00721263 _____ () C:\WINDOWS\SysWOW64\WSCM64.dll
2015-01-01 17:34 - 2015-01-01 17:47 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\txmlutil.dll
2015-01-01 17:34 - 2013-09-03 15:29 - 00101328 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdmetrics.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Admin\Downloads\avc581-free.exe:BDU
AlternateDataStreams: C:\Users\Admin\Downloads\ccsetup503_slim.exe:BDU
AlternateDataStreams: C:\Users\Admin\Downloads\install_flashplayer17x32au_mssd_aaa_aih.exe:BDU
AlternateDataStreams: C:\Users\Admin\Downloads\netsetman_setup_401.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Desktop\mbam-setup-2.1.6.1022.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\cinemahd-44.0.4238-setup.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\DisplayLink_Support_Tool.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\Firefox Setup Stub 36.0.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\Firefox Setup Stub 38.0.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\firefox_setup_39.0.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\flashplayer17_ha_install(1).exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\FreeMind-Windows-Installer-1.0.1-max.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\IE11-Windows6.1-x64-de-de.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\jxpiinstall.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\Malwarebytes Anti Malware Malware Scanner - CHIP-Installer.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\netsetman_setup_402.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\netsetman_setup_403.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\PC Inspector File Recovery - CHIP-Installer.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\PDFCreator-2_1_2-setup.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\PDFill_11.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\picozip-recovery-tool_13451.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\readerdc_de_ha_install.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\sim-pict.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\SkypeSetup.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\SpeedMaxpc_installer.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\SpeedMaxpc_installer_de.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\video-converter-ultimate_setup_full1045.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\WEB.DE_Firefox_Setup(1).exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\Windows Product Key Viewer - CHIP-Installer.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\wlsetup-all_16.4.3508.0205.exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\wmp81n - CHIP-Installer(1).exe:BDU
AlternateDataStreams: C:\Users\Detlev\Downloads\wmp81n - CHIP-Installer.exe:BDU

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\dell.com -> dell.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1058572625-867591187-812149052-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Detlev\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "SynTPEnh"
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\StartupApproved\StartupFolder: => "OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk"
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\StartupApproved\Run: => "DellSystemDetect"
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\StartupApproved\Run: => "EPLTarget\P0000000000000000"
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{0099FC0E-AC50-4B99-983D-8DFDD1865A6B}] => (Allow) C:\Program Files (x86)\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe
FirewallRules: [{0ED56093-CBB3-4213-B3D9-1BE7F4023E03}] => (Allow) C:\Program Files (x86)\Research In Motion\BlackBerry Desktop\Rim.Desktop.exe
FirewallRules: [{B0A34BB2-A373-49B5-9A99-186AD59A9A7B}] => (Allow) LPort=4481
FirewallRules: [{690B5F7A-199B-44C2-84A3-1E1262EBCDC3}] => (Allow) LPort=4481
FirewallRules: [{2AC24438-8DD4-458D-99AF-FC44DB341FD9}] => (Allow) LPort=4482
FirewallRules: [{2AD9C131-6F5D-4D69-8CDC-ED2F54AAD54A}] => (Allow) LPort=4482
FirewallRules: [{FA222147-EE66-4588-AE84-4A4DC93F5CEC}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{0E60A4BE-0DCE-474D-BD26-E390DEE2C033}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{615734ED-83DF-45B8-B168-3CE034E03F5D}] => (Allow) LPort=2869
FirewallRules: [{DBE43A9D-035F-49D0-B810-05FA0E522338}] => (Allow) LPort=1900
DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/22/2015 10:16:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: dc4

Startzeit: 01d0c4ba92b3b60a

Endzeit: 4294967295

Anwendungspfad: C:\WINDOWS\system32\wwahost.exe

Berichts-ID: 863b643d-30ae-11e5-82b2-00249b0cd93e

Vollständiger Name des fehlerhaften Pakets: AppUp.IntelExperienceCenter_1.9.1.8_x64__8j3eq9eme6ctt

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: App

Error: (07/22/2015 10:11:20 PM) (Source: ESENT) (EventID: 454) (User: )
Description: DllHost (4436) IndexedDb: Bei Datenbankwiederherstellung trat ein unerwarteter Fehler -530 auf.

Error: (07/22/2015 10:11:20 PM) (Source: ESENT) (EventID: 412) (User: )
Description: DllHost (4436)IndexedDb: Die Kopfzeile der Protokolldatei C:\Users\Detlev\AppData\Local\Microsoft\Internet Explorer\Indexed DB\edb000B5.log konnte nicht gelesen werden. Fehler -530.

Error: (07/22/2015 09:56:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 1754

Startzeit: 01d0c4b7bb3419a1

Endzeit: 4294967295

Anwendungspfad: C:\WINDOWS\system32\wwahost.exe

Berichts-ID: b1898b73-30ab-11e5-82b2-00249b0cd93e

Vollständiger Name des fehlerhaften Pakets: AppUp.IntelExperienceCenter_1.9.1.8_x64__8j3eq9eme6ctt

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: App

Error: (07/22/2015 09:50:59 PM) (Source: ESENT) (EventID: 454) (User: )
Description: DllHost (4436) IndexedDb: Bei Datenbankwiederherstellung trat ein unerwarteter Fehler -530 auf.

Error: (07/22/2015 09:50:59 PM) (Source: ESENT) (EventID: 412) (User: )
Description: DllHost (4436)IndexedDb: Die Kopfzeile der Protokolldatei C:\Users\Detlev\AppData\Local\Microsoft\Internet Explorer\Indexed DB\edb000B5.log konnte nicht gelesen werden. Fehler -530.

Error: (07/22/2015 09:34:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: e40

Startzeit: 01d0c4b4b9b3b77f

Endzeit: 4294967295

Anwendungspfad: C:\WINDOWS\system32\wwahost.exe

Berichts-ID: ad3a58d7-30a8-11e5-82b2-00249b0cd93e

Vollständiger Name des fehlerhaften Pakets: AppUp.IntelExperienceCenter_1.9.1.8_x64__8j3eq9eme6ctt

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: App

Error: (07/22/2015 09:29:30 PM) (Source: ESENT) (EventID: 454) (User: )
Description: DllHost (4436) IndexedDb: Bei Datenbankwiederherstellung trat ein unerwarteter Fehler -530 auf.

Error: (07/22/2015 09:29:30 PM) (Source: ESENT) (EventID: 412) (User: )
Description: DllHost (4436)IndexedDb: Die Kopfzeile der Protokolldatei C:\Users\Detlev\AppData\Local\Microsoft\Internet Explorer\Indexed DB\edb000B5.log konnte nicht gelesen werden. Fehler -530.

Error: (07/22/2015 09:26:05 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Programm wwahost.exe, Version 6.3.9600.17415 kann nicht mehr unter Windows ausgeführt werden und wurde beendet. Überprüfen Sie den Problemverlauf in der Wartungscenter-Systemsteuerung, um nach weiteren Informationen zum Problem zu suchen.

Prozess-ID: 1b98

Startzeit: 01d0c4b38a52bcf6

Endzeit: 4294967295

Anwendungspfad: C:\WINDOWS\system32\wwahost.exe

Berichts-ID: 7dd6dde1-30a7-11e5-82b2-00249b0cd93e

Vollständiger Name des fehlerhaften Pakets: AppUp.IntelExperienceCenter_1.9.1.8_x64__8j3eq9eme6ctt

Anwendungs-ID, die relativ zum fehlerhaften Paket ist: App


System errors:
=============
Error: (07/22/2015 03:32:13 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.

Modulpfad: C:\WINDOWS\System32\IWMSSvc.dll

Error: (07/22/2015 03:32:13 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.

Modulpfad: C:\WINDOWS\System32\IWMSSvc.dll

Error: (07/22/2015 03:32:11 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT-AUTORITÄT)
Description: Das WLAN-Erweiterungsmodul wurde unerwartet beendet.

Modulpfad: C:\WINDOWS\System32\IWMSSvc.dll

Error: (07/22/2015 03:32:05 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Dell Digital Delivery Service" wurde unerwartet beendet. Dies ist bereits 2 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 1000 Millisekunden durchgeführt: Neustart des Diensts.

Error: (07/22/2015 03:32:05 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "WD Backup" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden durchgeführt: Neustart des Diensts.

Error: (07/22/2015 03:32:05 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "WD Drive Manager" wurde unerwartet beendet. Dies ist bereits 2 Mal passiert.

Error: (07/22/2015 03:32:05 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "DisplayLinkManager" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 1900 Millisekunden durchgeführt: Neustart des Diensts.

Error: (07/22/2015 03:32:05 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Der Dienst "Intel(R) Capability Licensing Service Interface" wurde unerwartet beendet. Dies ist bereits 1 Mal vorgekommen. Folgende Korrekturmaßnahmen werden in 0 Millisekunden durchgeführt: Neustart des Diensts.

Error: (07/22/2015 03:32:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Dell Customer Connect" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.

Error: (07/22/2015 03:32:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Dienst "Blackberry Device Manager" wurde unerwartet beendet. Dies ist bereits 1 Mal passiert.


Microsoft Office:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-08-01 16:01:54.601
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\drivers\igdkmd64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz
Percentage of memory in use: 35%
Total physical RAM: 8097.32 MB
Available physical RAM: 5184.39 MB
Total Virtual: 9377.32 MB
Available Virtual: 5960.38 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:222.49 GB) (Free:82.13 GB) NTFS
Drive d: (My Passport) (Fixed) (Total:1862.98 GB) (Free:1628.13 GB) NTFS
Drive e: (USB-STICK) (Removable) (Total:0.12 GB) (Free:0.06 GB) FAT

==================== MBR & Partition Table ==================

==================== End of log ============================
--- --- ---


Result2.txt
=======

Malwarebytes Anti-Malware
www.malwarebytes.org

Suchlaufdatum: 22.07.2015
Suchlaufzeit: 19:28
Protokolldatei: result2.txt
Administrator: Nein

Version: 2.1.8.1057
Malware-Datenbank: v2015.07.22.04
Rootkit-Datenbank: v2015.07.17.01
Lizenz: Testversion
Malware-Schutz: Aktiviert
Schutz vor bösartigen Websites: Aktiviert
Selbstschutz: Deaktiviert

Betriebssystem: Windows 8.1
CPU: x64
Dateisystem: NTFS
Benutzer: Detlev

Suchlauftyp: Bedrohungssuchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 346473
Abgelaufene Zeit: 10 Min., 17 Sek.

Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Deaktiviert
Heuristik: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(keine bösartigen Elemente erkannt)

Module: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 18
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{F2DB3739-77FB-41EB-9ED3-ABF34DF2DBF7}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{E7BF74EE-9106-4113-B216-2F980BA29141}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\DPBHO.DownloadProtect.1, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\DPBHO.DownloadProtect, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DPBHO.DownloadProtect, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DPBHO.DownloadProtect, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\DPBHO.DownloadProtect.1, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\DPBHO.DownloadProtect.1, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, HKLM\SOFTWARE\CLASSES\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}\INPROCSERVER32, , [6b610ada5337ae88d0913307eb15b848],

Registrierungswerte: 0
(keine bösartigen Elemente erkannt)

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 0
(keine bösartigen Elemente erkannt)

Dateien: 2
PUP.Optional.DownloadProtect.A, C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin, , [6b610ada5337ae88d0913307eb15b848],
PUP.Optional.DownloadProtect.A, C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin, , [6b610ada5337ae88d0913307eb15b848],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)
[/CODE]

DWaKd 23.07.2015 09:12
Code:

Teil 1 von 5
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-22 22:51:48
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000036 LITEONIT_LMT-256M6M_mSATA_256GB rev.DM8110F 238,47GB
Running: Gmer-19357.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pwtyapod.sys


---- Kernel code sections - GMER 2.1 ----

.text  C:\WINDOWS\System32\win32k.sys!W32pServiceTable                                                                                            fffff96000190600 15 bytes [00, 96, F2, 01, 00, 6A, 6C, ...]
.text  C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16                                                                                        fffff96000190610 11 bytes [00, D7, FB, FF, 00, 7B, D1, ...]

---- User code sections - GMER 2.1 ----

.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                              00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                        00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                  00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                      00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                      00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                            00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                    00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                      00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                        00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                      00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                  00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                  00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                    00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                  00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                          00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                              00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                              00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                    00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                    00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                        00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                        00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                        00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                  00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!ShowWindow                                              00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                          00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!GetMessageW                                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                        00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                          00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                        00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                        00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                    00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                        00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                    00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                      00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                        00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                            00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                        00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                      00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                        00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                      00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                      00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                          00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                  00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                      00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                      00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                      00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                        00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                                  00007ffb8e974121 11 bytes [B8, C9, 22, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                                          00007ffb8ea34d41 11 bytes [B8, 49, 03, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                              00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                              00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                  00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                    00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                    00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                    00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                    00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                    00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                              00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                              00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                      00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                      00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                      00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                        00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                        00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                  00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                  00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                      00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1484] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                  00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                              00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                        00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                  00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                      00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                      00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                            00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                    00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                      00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                        00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                      00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                  00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                  00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                    00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                  00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                          00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                              00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                              00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                    00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                    00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                        00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                        00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                        00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                  00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!ShowWindow                                              00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                          00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!GetMessageW                                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                        00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                          00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                        00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                        00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                    00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                        00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                    00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                      00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                        00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                            00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                        00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                      00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                        00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                      00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                      00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                          00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                  00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                      00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                      00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                      00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                        00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                                  00007ffb8e974121 11 bytes [B8, C9, 22, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                                          00007ffb8ea34d41 11 bytes [B8, 49, 03, 28, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                              00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                              00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                  00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                    00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                    00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                    00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                    00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                    00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                              00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                              00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                      00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                      00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                      00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                        00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                        00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                  00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                  00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                      00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[1500] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                  00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]

DWaKd 23.07.2015 09:51
gmer.txt (Teil 2)
 
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-22 22:51:48
Teil 2/5
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot        00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                  00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1              00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                  00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1        00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                    00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1            00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                  00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1            00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1            00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW              00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1              00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1      00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW        00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1        00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10              00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1          00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                  00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1          00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1          00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                  00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                  00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread            00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!ShowWindow                        00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                    00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8            00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!GetMessageW                        00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                  00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                    00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                  00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                    00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1              00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9              00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                    00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10              00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                    00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10              00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                  00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1        00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                    00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                    00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                    00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1  00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                  00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                  00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                  00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                  00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1    00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1              00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10            00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                  00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                  00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                    00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9                      00007ffb8459eb90 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1        00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7        00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1              00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7              00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1            00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7            00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1              00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7              00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1              00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7              00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1        00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7        00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                  00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                  00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                  00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                  00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1            00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465              00007ffb8e974121 2 bytes [B8, 09]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 468              00007ffb8e974124 8 bytes [28, 59, 00, 00, 00, 00, 50, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                    00007ffb8ea34d41 11 bytes [B8, 49, 03, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1            00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                      00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                      00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1            00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1          00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1          00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1            00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory + 1                00007ffb8a5b7751 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory1 + 1              00007ffb8a5b8ee1 11 bytes [B8, 49, 85, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe[1580] C:\WINDOWS\SYSTEM32\dxgi.dll!CreateDXGIFactory2 + 1              00007ffb8a5bc651 11 bytes [B8, 09, 87, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                  00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                      00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                            00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                    00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                                00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                  00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                          00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                    00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                        00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                        00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                            00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                        00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                      00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                      00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                      00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                      00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                      00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                        00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                                                  00007ffb8e974121 11 bytes [B8, C9, 06, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                                                        00007ffb8ea34d41 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                            00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                              00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                            00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                            00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                            00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                            00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                          00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!connect                                                                00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                        00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                              00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                        00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                      00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                  00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                    00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                      00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\DNSAPI.dll!DnsQueryEx                                                            00007ffb8c494420 12 bytes [48, B8, C9, C0, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_UTF8                                                          00007ffb8c4b3cd0 12 bytes [48, B8, 09, BF, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_W                                                            00007ffb8c4b4350 12 bytes [48, B8, 49, BD, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\WLANExt.exe[1784] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_A                                                            00007ffb8c4efd90 12 bytes [48, B8, 89, BB, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                  00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                      00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                            00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                    00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                                00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                  00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                          00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                    00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                            00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                              00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                            00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                            00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                            00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                            00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                          00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!connect                                                                00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                        00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                              00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                        00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                      00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WINHTTP.dll!WinHttpCloseHandle + 1                                                00007ffb86f19bd1 11 bytes [B8, C9, 96, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WINHTTP.dll!WinHttpOpenRequest                                                    00007ffb86f2f2d0 12 bytes [48, B8, 09, 95, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\WINHTTP.dll!WinHttpConnect + 1                                                    00007ffb86f30441 11 bytes [B8, 89, 98, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\DNSAPI.dll!DnsQueryEx                                                            00007ffb8c494420 12 bytes [48, B8, C9, C0, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_UTF8                                                          00007ffb8c4b3cd0 12 bytes [48, B8, 09, BF, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_W                                                            00007ffb8c4b4350 12 bytes [48, B8, 49, BD, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\DNSAPI.dll!DnsQuery_A                                                            00007ffb8c4efd90 12 bytes [48, B8, 89, BB, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                        00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                        00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                            00007ffb8faedec1 11 bytes [B8, 09, 0C, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                        00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                      00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                      00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                      00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                      00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                      00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                        00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\urlmon.dll!URLDownloadToCacheFileW                                                00007ffb81e780b0 12 bytes [48, B8, 89, 60, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\urlmon.dll!URLDownloadToFileW + 1                                                00007ffb81e79641 11 bytes [B8, C9, 5E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                  00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                    00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                      00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\dashost.exe[2256] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                      00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                            00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                              00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                              00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                          00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                              00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                          00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                          00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                            00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                            00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                      00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                      00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                            00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                        00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                          00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                          00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                              00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                          00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                      00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                        00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                      00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                      00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                      00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                      00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                    00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!connect                                                          00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                  00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                        00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                  00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                      00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                  00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                  00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                            00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                            00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                              00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                      00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                  00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                          00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                              00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[3180] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                      00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                            00007ffb8ed434b1 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                              00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                              00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                          00007ffb8d295f71 11 bytes [B8, 89, D0, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                              00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                          00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                          00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                            00007ffb8d29c050 12 bytes [48, B8, 49, D2, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                            00007ffb8d29d781 11 bytes [B8, 09, D4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                      00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                      00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                            00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                        00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                          00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                      00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                        00007ffb8f1e2571 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                      00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                      00007ffb8f1e2ff1 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                      00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                      00007ffb8f1e3bd1 11 bytes [B8, C9, DC, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                    00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!connect                                                          00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                  00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                        00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                  00007ffb8f1f6fe1 11 bytes [B8, 49, E0, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                          00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                              00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                          00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                      00007ffb8f8814a1 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                      00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                            00007ffb8f882041 5 bytes [B8, 49, E7, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                            00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                              00007ffb8f882061 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                              00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                          00007ffb8f882071 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                          00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                            00007ffb8f882091 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                            00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                            00007ffb8f8820a1 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                            00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                      00007ffb8f882201 5 bytes [B8, C9, D5, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                      00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                00007ffb8f8b0fa1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                              00007ffb8f8b0fb1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                              00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW                                                00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                      00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                  00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                  00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                00007ffb8fae33f1 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                            00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                            00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                              00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                      00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                00007ffb8fb05921 11 bytes [B8, 49, F5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                  00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                          00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                              00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3192] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                      00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                            00007ffb8ed434b1 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                              00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                              00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                          00007ffb8d295f71 11 bytes [B8, 89, D0, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                              00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                          00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                          00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                            00007ffb8d29c050 12 bytes [48, B8, 49, D2, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                            00007ffb8d29d781 11 bytes [B8, 09, D4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                      00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                      00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                            00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                        00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                          00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                      00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                        00007ffb8f1e2571 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                      00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                      00007ffb8f1e2ff1 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                      00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                      00007ffb8f1e3bd1 11 bytes [B8, C9, DC, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                    00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!connect                                                          00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                  00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                        00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                  00007ffb8f1f6fe1 11 bytes [B8, 49, E0, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                          00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                              00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                          00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                      00007ffb8f8814a1 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                      00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                            00007ffb8f882041 5 bytes [B8, 49, E7, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                            00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                              00007ffb8f882061 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                              00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                          00007ffb8f882071 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                          00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                            00007ffb8f882091 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                            00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                            00007ffb8f8820a1 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                            00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                      00007ffb8f882201 5 bytes [B8, C9, D5, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                      00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                00007ffb8f8b0fa1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                              00007ffb8f8b0fb1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                              00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW

DWaKd 23.07.2015 09:53
gmer.txt (Teil 3)
 
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-22 22:51:48
Teil 3/5


.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                      00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                  00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                  00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                00007ffb8fae33f1 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                            00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                            00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                              00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                      00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                00007ffb8fb05921 11 bytes [B8, 49, F5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                  00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                          00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                              00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\wmiprvse.exe[3296] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                          00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3660] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\WUDFHost.exe[3724] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                        00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                  00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                            00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                          00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                  00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                            00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                            00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                              00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                            00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                        00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                        00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                              00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                          00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                  00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                  00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                  00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                            00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                        00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                    00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                  00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                    00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                  00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                              00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                              00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                  00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                      00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                  00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                    00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                            00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                        00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                        00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                            00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                            00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                              00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                              00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                          00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                          00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                              00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                              00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                              00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                              00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                        00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                        00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                  00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                  00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                            00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\TEMP\irstrtsv\scrncap.exe[4980] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                            00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                                    00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                          00007ffb8ed434b1 11 bytes [B8, 49, 85, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                              00007ffb8ed6aba1 8 bytes [B8, 89, 60, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                            00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                                    00007ffb8ed6aca1 11 bytes [B8, C9, 65, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                                        00007ffb8d295f71 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                          00007ffb8d29c050 12 bytes [48, B8, 89, 6E, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                          00007ffb8d29d781 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                                  00007ffb8d2a2511 11 bytes [B8, 89, 67, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                                    00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                                    00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                            00007ffb8d2e93c1 8 bytes [B8, 49, 62, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                          00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                      00007ffb8d30a841 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                              00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                        00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                                    00007ffb8f8814a1 5 bytes [B8, C9, 73, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                                    00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                                          00007ffb8f882041 5 bytes [B8, C9, 7A, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                                          00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                                            00007ffb8f882061 5 bytes [B8, 09, 80, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                                            00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                                        00007ffb8f882071 5 bytes [B8, 49, 7E, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                                        00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                                          00007ffb8f882091 5 bytes [B8, C9, 81, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                                          00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                                          00007ffb8f8820a1 5 bytes [B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                                          00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                                    00007ffb8f882201 5 bytes [B8, 09, 72, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                                    00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                              00007ffb8f8b0fa1 5 bytes [B8, 89, 75, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                              00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                                            00007ffb8f8b0fb1 5 bytes [B8, 49, 77, 27, 59]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                                            00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                              00007ffb8f8ddd10 12 bytes [48, B8, 89, 52, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW                                                              00007ffb8f8ddda0 12 bytes [48, B8, 49, 54, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                                    00007ffb8fae2670 12 bytes [48, B8, 89, 8A, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                              00007ffb8fae33f1 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                                00007ffb8fae6191 11 bytes [B8, C9, 88, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                          00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                          00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                                    00007ffb8faedec1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                                00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                              00007ffb8fb05921 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                          00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                        00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                                                          00007ffb8e974121 11 bytes [B8, 09, 9C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                                                                00007ffb8ea34d41 11 bytes [B8, 09, 79, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                        00007ffb8f5f47a1 11 bytes [B8, 49, 4D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                                  00007ffb8f5f4d10 12 bytes [48, B8, 09, 41, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                                  00007ffb8f5fa830 12 bytes [48, B8, 49, 3F, 27, 59, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                            00007ffb8f5fae11 11 bytes [B8, 49, 46, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                        00007ffb8f5fed61 11 bytes [B8, 89, 44, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                                      00007ffb8f614021 11 bytes [B8, 89, 4B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                            00007ffb8f61a1a1 11 bytes [B8, 09, 48, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                                      00007ffb8f61de41 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                        00007ffb8f62ddf1 11 bytes [B8, C9, 42, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\Explorer.EXE[4160] C:\WINDOWS\system32\WS2_32.dll!connect                                                                        00007ffb8f1e5730 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                          00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                    00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                        00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                        00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1              00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                          00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                      00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                        00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                  00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                          00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                        00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                    00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                    00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                      00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                    00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1            00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                      00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                      00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                  00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                          00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                          00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                          00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                    00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!ShowWindow                                00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                            00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                      00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                  00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!GetMessageW                              00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                          00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                            00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                          00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                          00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                    00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                    00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                          00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                      00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                          00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                      00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                        00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                          00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1              00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                          00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                          00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                          00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1        00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                          00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                        00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                        00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                        00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1            00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                    00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                    00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                        00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                        00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                        00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                          00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                    00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                    00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                    00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                      00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                      00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                  00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                  00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                      00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                      00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                      00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                      00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                        00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                        00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                        00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                        00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                          00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                          00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                  00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                            00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                            00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                      00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                    00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                        00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe[4560] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                    00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                  00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                      00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                            00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                    00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                                00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                  00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                          00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                    00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                        00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                        00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                            00007ffb8faedec1 11 bytes [B8, C9, 06, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                        00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                      00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                      00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                      00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                      00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                      00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                        00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                  00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                    00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                      00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\DllHost.exe[4436] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                          00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                    00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                              00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                  00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                  00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                        00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                    00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                  00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                            00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                    00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                  00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                              00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                              00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                              00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                      00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                          00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                          00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                            00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                    00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                          00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                          00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                    00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                    00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                              00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]

DWaKd 23.07.2015 09:55
gmer.txt (Teil 4)
 
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-22 22:51:48
Teil 4/5


.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                            00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                      00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                      00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                              00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                          00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                  00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                          00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                              00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                          00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                      00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                                00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                            00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                        00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                    00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                      00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                    00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                    00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                              00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                              00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                    00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                                00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                    00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                                00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                                  00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                    00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                        00007ffb8faedec1 11 bytes [B8, C9, 06, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                    00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                    00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                    00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                  00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                    00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                  00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                  00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                  00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                      00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                              00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                              00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                  00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                  00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                                  00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                    00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                              00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 1                                          00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextW + 7                                          00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 1                                              00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptCreateHash + 7                                              00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 1                                                00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptHashData + 7                                                00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 1                                            00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGetHashParam + 7                                            00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 1                                                00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptImportKey + 7                                                00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 1                                                00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptExportKey + 7                                                00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 1                                          00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptAcquireContextA + 7                                          00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 1                                                  00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptGenKey + 7                                                  00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 1                                                  00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CryptEncrypt + 7                                                  00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceA                                                    00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\taskhostex.exe[5328] C:\WINDOWS\SYSTEM32\advapi32.dll!CreateServiceW                                                    00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot              00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                        00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                    00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                        00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                      00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1              00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                          00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                      00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                      00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                  00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                        00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                      00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                  00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                  00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                    00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                    00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1            00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW              00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1              00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                      00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                    00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                        00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                        00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                        00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                  00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!ShowWindow                              00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                          00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                      00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                  00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!GetMessageW                              00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                        00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                          00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                        00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                          00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                    00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                    00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                          00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                    00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                          00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                    00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                      00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                        00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1              00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                          00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                          00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                          00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1        00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                        00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                        00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                        00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                        00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1          00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                    00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                  00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                        00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                        00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                      00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                          00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                  00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                            00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                            00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                      00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                  00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                      00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                  00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[5340] C:\WINDOWS\system32\shell32.dll!Shell_NotifyIconW + 1                  00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot              00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                        00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                  00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                      00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                      00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe[5348] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1            00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                  00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                      00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[5388] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1            00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                                                00007ffb8e974121 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                                                        00007ffb8ea34d41 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\system32\igfxsrvc.exe[5860] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxtray.exe[5184] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                              00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                        00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                    00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                        00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                      00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                              00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                          00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                      00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                      00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                                  00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                        00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                      00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                  00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                  00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                    00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                    00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                            00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                              00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                              00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                      00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                    00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                                00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                        00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                                00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                                00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                        00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                        00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                  00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                              00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                          00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                      00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                                  00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                              00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                        00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                          00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                        00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                          00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                    00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                    00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                          00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                    00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                          00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                    00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                      00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                        00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                              00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                          00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                          00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                          00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                        00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                        00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                        00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                        00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                        00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                          00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                    00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                  00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                        00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                        00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                      00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                          00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                              00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                              00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                    00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                    00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                      00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                      00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                                  00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                                  00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                    00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                    00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                    00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                    00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                              00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                              00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                        00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                        00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                      00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                      00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                        00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                        00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                  00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                  00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                            00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                            00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                      00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                  00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                                00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                      00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                                00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\hkcmd.exe[5684] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                  00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\igfxpers.exe[5124] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                          00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                      00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                          00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                        00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                            00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                        00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                        00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                    00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                          00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                        00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                    00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                    00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                      00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                      00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                              00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                        00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                      00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                  00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                          00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                  00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                  00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                          00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                          00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                    00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]

DWaKd 23.07.2015 09:57
gmer.txt (Teil 5)
 
[CODE]
GMER Logfile:
Code:
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2015-07-22 22:51:48
Teil 5/5


.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                            00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                        00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                    00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                          00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                            00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                          00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                            00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                      00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                      00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                            00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                      00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                            00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                      00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                        00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                          00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                            00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                            00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                            00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                          00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                          00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                          00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                          00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                          00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                            00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                      00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                    00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                          00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                          00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                        00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                            00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                      00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                      00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                        00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                        00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                    00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                    00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                      00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                      00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                      00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                      00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                          00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                          00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                        00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                        00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                          00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                          00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                    00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                    00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                              00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                              00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                        00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                    00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                  00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                        00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                  00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                    00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                00007ffb8f1e1be0 12 bytes [48, B8, C9, B9, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                  00007ffb8f1e2571 11 bytes [B8, C9, FF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                00007ffb8f1e2d61 11 bytes [B8, 89, BB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                00007ffb8f1e2ff1 11 bytes [B8, 89, 01, 28, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                00007ffb8f1e3880 12 bytes [48, B8, 09, B8, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                00007ffb8f1e3bd1 11 bytes [B8, 89, FA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                              00007ffb8f1e4230 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!connect                                                    00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                            00007ffb8f1e87e0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                  00007ffb8f1f42d1 11 bytes [B8, 49, B6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                            00007ffb8f1f6fe1 11 bytes [B8, 09, FE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Dell\QuickSet\quickset.exe[5692] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                          00007ffb8f2054b1 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                            00007ffb8ecadb10 12 bytes [48, B8, 89, 36, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                      00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                                00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                    00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                          00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                      00007ffb8d2914c0 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                                  00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                                    00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                              00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                      00007ffb8d296ed0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                                    00007ffb8d298a71 11 bytes [B8, 89, 4B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                                00007ffb8d298d81 11 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                00007ffb8d2997b1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                                  00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                                00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                        00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                            00007ffb8d2aef70 12 bytes [48, B8, 49, 2A, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                            00007ffb8d2c6b21 11 bytes [B8, 49, 3F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                                  00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                              00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                      00007ffb8d30ac50 12 bytes [48, B8, 89, 3D, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                            00007ffb8d35f811 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                            00007ffb8d35f891 11 bytes [B8, C9, 73, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                      00007ffb8d360340 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                      00007ffb8d360570 12 bytes [48, B8, 49, 77, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                                00007ffb8d370c80 12 bytes [48, B8, 89, 21, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!ShowWindow                                                            00007ffb8fae11b0 6 bytes [48, B8, 89, 8A, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                                                  00007ffb8fae1210 6 bytes [48, B8, 49, 7E, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                                              00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!GetMessageW                                                          00007ffb8fae2670 12 bytes [48, B8, C9, 6C, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                                      00007ffb8fae2991 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                                        00007ffb8fae2ef0 12 bytes [48, B8, 89, 7C, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                                      00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                                      00007ffb8fae6191 11 bytes [B8, 09, 6B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                                                00007ffb8fae6391 7 bytes [B8, C9, 1F, 27, 59, 00, 00]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                                                00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                                      00007ffb8fae6d90 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                                                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                                      00007ffb8faeab30 7 bytes [48, B8, C9, 88, 27, 59, 00]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                                                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                                                    00007ffb8faece31 11 bytes [B8, 09, 95, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                                      00007ffb8faedb41 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                                          00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                                      00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                                      00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                                      00007ffb8faf7100 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                    00007ffb8fb03ab1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                                      00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                                    00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                                    00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                                    00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                        00007ffb8fb177a1 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                                                00007ffb8fb40f61 8 bytes [B8, 09, 1E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                                                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                                    00007ffb8fb67d01 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                                    00007ffb8fb67d31 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                                                    00007ffb8fb71021 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                                      00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                          00007ffb8f1e1be0 12 bytes [48, B8, 89, 9F, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                              00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                          00007ffb8f1e2d61 11 bytes [B8, 49, A1, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                          00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                            00007ffb8f1e3880 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                            00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                          00007ffb8f1e4230 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!connect                                                              00007ffb8f1e5730 12 bytes [48, B8, 09, 64, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                        00007ffb8f1e87e0 12 bytes [48, B8, 89, 83, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                              00007ffb8f1f42d1 11 bytes [B8, 09, 9C, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                        00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                    00007ffb8f2054b1 11 bytes [B8, 49, 85, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                                            00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                                            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                                                00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                                                00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                                                  00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                                                  00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                                              00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                                              00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                                                  00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                                                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                                                  00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                                                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                                            00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                                            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                                    00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                                    00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                                                    00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                                                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                                      00007ffb8f8ddd10 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                                      00007ffb8f8ddda0 12 bytes [48, B8, 49, 69, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                00007ffb8d61bb11 11 bytes [B8, 09, 80, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                              00007ffb8f5f47a1 11 bytes [B8, C9, 5E, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                        00007ffb8f5f4d10 12 bytes [48, B8, 89, 52, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                        00007ffb8f5fa830 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                                  00007ffb8f5fae11 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                00007ffb8f5fed61 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                            00007ffb8f614021 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                                    00007ffb8f61a1a1 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                            00007ffb8f61de41 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Windows\System32\rundll32.exe[5188] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                00007ffb8f62ddf1 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot            00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                      00007ffb8ecae1f0 12 bytes [48, B8, 89, D0, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                  00007ffb8ed434b1 11 bytes [B8, 89, 0F, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                      00007ffb8ed6aba1 8 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                    00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1            00007ffb8ed6aca1 11 bytes [B8, 49, E7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                        00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                    00007ffb8d2921d1 11 bytes [B8, 49, C4, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                    00007ffb8d2942a0 12 bytes [48, B8, 09, C6, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                00007ffb8d295f71 11 bytes [B8, 49, EE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                      00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                    00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                00007ffb8d298d81 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                00007ffb8d2997b1 11 bytes [B8, C9, C0, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                  00007ffb8d29c050 12 bytes [48, B8, 09, F0, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                  00007ffb8d29d781 11 bytes [B8, C9, F1, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1          00007ffb8d2a2511 11 bytes [B8, 09, E9, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW            00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1            00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                    00007ffb8d2e93c1 8 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                  00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1              00007ffb8d30a841 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                      00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1              00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1              00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                      00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                      00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!ShowWindow                            00007ffb8fae11b0 6 bytes [48, B8, C9, A4, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                        00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                    00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!GetMessageW                            00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                      00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                        00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                      00007ffb8fae33f1 11 bytes [B8, C9, 14, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                        00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                  00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                  00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                        00007ffb8fae6d90 7 bytes [48, B8, 49, A1, 27, 59, 00]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                  00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                        00007ffb8faeab30 7 bytes [48, B8, 09, A3, 27, 59, 00]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                  00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                    00007ffb8faece31 11 bytes [B8, 49, AF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                      00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1            00007ffb8faedec1 11 bytes [B8, 09, 21, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                        00007ffb8faf0e61 7 bytes [B8, 49, CB, 27, 59, 00, 00]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                        00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                        00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1      00007ffb8fb03ab1 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                      00007ffb8fb05921 11 bytes [B8, 09, 13, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                      00007ffb8fb07161 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                      00007ffb8fb07691 5 bytes [B8, 89, C9, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                      00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1        00007ffb8fb177a1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                  00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                      00007ffb8fb67d01 11 bytes [B8, 09, AA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                      00007ffb8fb67d31 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                    00007ffb8fb71021 11 bytes [B8, 89, AD, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                        00007ffb8fb71471 11 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\GDI32.dll!GdiDllInitialize + 465                  00007ffb8e974121 11 bytes [B8, C9, 22, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\GDI32.dll!NamedEscape + 1                        00007ffb8ea34d41 11 bytes [B8, 49, 03, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1            00007ffb8f8814a1 5 bytes [B8, 49, F5, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7            00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                  00007ffb8f882041 5 bytes [B8, 09, 05, 28, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                  00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                    00007ffb8f882061 5 bytes [B8, 49, 0A, 28, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                    00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                00007ffb8f882071 5 bytes [B8, 89, 08, 28, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                  00007ffb8f882091 5 bytes [B8, 09, 0C, 28, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                  00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                  00007ffb8f8820a1 5 bytes [B8, C9, 06, 28, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                  00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1            00007ffb8f882201 5 bytes [B8, 89, F3, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7            00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                      00007ffb8f8b0fa1 5 bytes [B8, 09, F7, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                      00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                    00007ffb8f8b0fb1 5 bytes [B8, C9, F8, 27, 59]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                    00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                      00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                      00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!closesocket                            00007ffb8f1e1be0 12 bytes [48, B8, C9, B9, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!recv + 1                              00007ffb8f1e2571 11 bytes [B8, C9, FF, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                            00007ffb8f1e2d61 11 bytes [B8, 89, BB, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                            00007ffb8f1e2ff1 11 bytes [B8, 89, 01, 28, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                            00007ffb8f1e3880 12 bytes [48, B8, 09, B8, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!socket + 1                            00007ffb8f1e3bd1 11 bytes [B8, 89, FA, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                          00007ffb8f1e4230 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!connect                                00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                        00007ffb8f1e87e0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!send + 1                              00007ffb8f1f42d1 11 bytes [B8, 49, B6, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                        00007ffb8f1f6fe1 11 bytes [B8, 09, FE, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                      00007ffb8f2054b1 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                          00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                          00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                    00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1              00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                    00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1              00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[5380] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                                      00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                                00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                                            00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                                              00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                                              00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                                          00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                                00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                                              00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                                          00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                                          00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                                            00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                                            00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                                      00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                                      00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                                            00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                                        00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                                00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                                00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                                00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                                          00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                                          00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                                              00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                                          00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!closesocket                                                      00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                                        00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                                      00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                                      00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                                      00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                                      00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                                    00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!connect                                                          00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                                  00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!send + 1                                                        00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                                  00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                                00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow                                                      00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!ShowWindow + 8                                                  00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx                                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!UnhookWindowsHookEx + 8                                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageW                                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageW + 1                                                00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CallNextHookEx                                                  00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageW + 1                                                00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!GetMessageA + 1                                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 1                                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExW + 9                                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW                                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExW + 10                                            00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA                                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CreateWindowExA + 10                                            00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextW + 1                                              00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!PeekMessageA + 1                                                00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!UserClientDllInitialize + 1                                      00007ffb8faedec1 11 bytes [B8, 89, 08, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 1                                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowW + 9                                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWinEventHook                                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!CreateDialogIndirectParamAorW + 1                                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!PostMessageA + 1                                                00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExW + 1                                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 1                                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowExA + 9                                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!DialogBoxIndirectParamAorW + 1                                  00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 1                                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowsHookExA + 10                                          00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExA + 1                                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!MessageBoxExW + 1                                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!SetWindowTextA + 1                                              00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\wbem\unsecapp.exe[5304] C:\WINDOWS\SYSTEM32\user32.dll!FindWindowA + 1                                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!CreateToolhelp32Snapshot                      00007ffb8ecadb10 12 bytes [48, B8, C9, 34, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!Process32NextW                                00007ffb8ecae1f0 12 bytes [48, B8, 89, B4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!GetStartupInfoA + 1                            00007ffb8ed434b1 11 bytes [B8, 89, F3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 1                                00007ffb8ed6aba1 8 bytes [B8, 09, C6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileExA + 10                              00007ffb8ed6abaa 2 bytes [50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNEL32.DLL!MoveFileWithProgressA + 1                      00007ffb8ed6aca1 11 bytes [B8, 49, CB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!CloseHandle                                  00007ffb8d2914c0 12 bytes [48, B8, 49, 4D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary + 1                              00007ffb8d2921d1 11 bytes [B8, 49, A8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!GetProcAddress                              00007ffb8d2942a0 12 bytes [48, B8, 09, AA, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!DeviceIoControl + 1                          00007ffb8d295f71 11 bytes [B8, 49, D2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!CreateMutexW                                00007ffb8d296ed0 12 bytes [48, B8, 89, 4B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!OpenMutexW + 1                              00007ffb8d298a71 11 bytes [B8, C9, 49, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW + 1                          00007ffb8d298d81 11 bytes [B8, 89, A6, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExA + 1                          00007ffb8d2997b1 11 bytes [B8, C9, A4, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!FindFirstFileExW                            00007ffb8d29c050 12 bytes [48, B8, 09, D4, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!FindNextFileW + 1                            00007ffb8d29d781 11 bytes [B8, C9, D5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileWithProgressW + 1                    00007ffb8d2a2511 11 bytes [B8, 09, CD, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!CreateProcessInternalW                      00007ffb8d2aef70 12 bytes [48, B8, 89, 28, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!WriteProcessMemory + 1                      00007ffb8d2c6b21 11 bytes [B8, 89, 3D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 1                              00007ffb8d2e93c1 8 bytes [B8, C9, C7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!MoveFileExW + 10                            00007ffb8d2e93ca 2 bytes [50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!DefineDosDeviceW + 1                        00007ffb8d30a841 11 bytes [B8, 89, C2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!CreateThread                                00007ffb8d30ac50 12 bytes [48, B8, C9, 3B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputA + 1                        00007ffb8d35f811 11 bytes [B8, 49, 70, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleInputW + 1                        00007ffb8d35f891 11 bytes [B8, 09, 72, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleA                                00007ffb8d360340 12 bytes [48, B8, C9, 73, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!ReadConsoleW                                00007ffb8d360570 12 bytes [48, B8, 89, 75, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\KERNELBASE.dll!CreateRemoteThread                          00007ffb8d370c80 12 bytes [48, B8, C9, 1F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!ShowWindow                                      00007ffb8fae11b0 6 bytes [48, B8, C9, 88, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!ShowWindow + 8                                  00007ffb8fae11b8 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx                              00007ffb8fae1210 6 bytes [48, B8, 89, 7C, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!UnhookWindowsHookEx + 8                          00007ffb8fae1218 4 bytes [00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!GetMessageW                                      00007ffb8fae2670 12 bytes [48, B8, 09, 6B, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!PeekMessageW + 1                                00007ffb8fae2991 11 bytes [B8, 89, 6E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CallNextHookEx                                  00007ffb8fae2ef0 12 bytes [48, B8, C9, 7A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!PostMessageW + 1                                00007ffb8fae33f1 11 bytes [B8, C9, F8, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!GetMessageA + 1                                  00007ffb8fae6191 11 bytes [B8, 49, 69, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 1                            00007ffb8fae6391 7 bytes [B8, 09, 1E, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExW + 9                            00007ffb8fae6399 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CreateWindowExW                                  00007ffb8fae6d90 7 bytes [48, B8, 49, 85, 27, 59, 00]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CreateWindowExW + 10                            00007ffb8fae6d9a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CreateWindowExA                                  00007ffb8faeab30 7 bytes [48, B8, 09, 87, 27, 59, 00]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CreateWindowExA + 10                            00007ffb8faeab3a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowTextW + 1                              00007ffb8faece31 11 bytes [B8, 49, 93, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!PeekMessageA + 1                                00007ffb8faedb41 11 bytes [B8, C9, 6C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!UserClientDllInitialize + 1                      00007ffb8faedec1 11 bytes [B8, 09, 05, 28, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowW + 1                                  00007ffb8faf0e61 7 bytes [B8, 49, AF, 27, 59, 00, 00]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowW + 9                                  00007ffb8faf0e69 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWinEventHook                                  00007ffb8faf7100 12 bytes [48, B8, 09, 3A, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                00007ffb8fb03ab1 11 bytes [B8, 89, 8A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!PostMessageA + 1                                00007ffb8fb05921 11 bytes [B8, 09, F7, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowExW + 1                                00007ffb8fb07161 11 bytes [B8, 09, B1, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 1                                00007ffb8fb07691 5 bytes [B8, 89, AD, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowExA + 9                                00007ffb8fb07699 3 bytes [00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                  00007ffb8fb177a1 11 bytes [B8, 49, 8C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 1                            00007ffb8fb40f61 8 bytes [B8, 49, 1C, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowsHookExA + 10                          00007ffb8fb40f6a 2 bytes [50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!MessageBoxExA + 1                                00007ffb8fb67d01 11 bytes [B8, 09, 8E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!MessageBoxExW + 1                                00007ffb8fb67d31 11 bytes [B8, C9, 8F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!SetWindowTextA + 1                              00007ffb8fb71021 11 bytes [B8, 89, 91, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\USER32.dll!FindWindowA + 1                                  00007ffb8fb71471 11 bytes [B8, C9, AB, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\SHELL32.dll!Shell_NotifyIconW + 1                          00007ffb8d61bb11 11 bytes [B8, 49, 7E, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 1                      00007ffb8f8814a1 5 bytes [B8, 49, D9, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextW + 7                      00007ffb8f8814a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 1                            00007ffb8f882041 5 bytes [B8, 09, E9, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptCreateHash + 7                            00007ffb8f882047 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 1                              00007ffb8f882061 5 bytes [B8, 49, EE, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptHashData + 7                              00007ffb8f882067 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 1                          00007ffb8f882071 5 bytes [B8, 89, EC, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptGetHashParam + 7                          00007ffb8f882077 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 1                            00007ffb8f882091 5 bytes [B8, 09, F0, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptImportKey + 7                            00007ffb8f882097 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 1                            00007ffb8f8820a1 5 bytes [B8, C9, EA, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptExportKey + 7                            00007ffb8f8820a7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 1                      00007ffb8f882201 5 bytes [B8, 89, D7, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptAcquireContextA + 7                      00007ffb8f882207 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 1                                00007ffb8f8b0fa1 5 bytes [B8, 09, DB, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptGenKey + 7                                00007ffb8f8b0fa7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 1                              00007ffb8f8b0fb1 5 bytes [B8, C9, DC, 27, 59]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CryptEncrypt + 7                              00007ffb8f8b0fb7 5 bytes [00, 00, 00, 50, C3]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceA                                00007ffb8f8ddd10 12 bytes [48, B8, C9, 65, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\ADVAPI32.dll!CreateServiceW                                00007ffb8f8ddda0 12 bytes [48, B8, 89, 67, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!CloseServiceHandle + 1                          00007ffb8f5f47a1 11 bytes [B8, 09, 5D, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceW                                    00007ffb8f5f4d10 12 bytes [48, B8, C9, 50, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!OpenServiceA                                    00007ffb8f5fa830 12 bytes [48, B8, 09, 4F, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!ControlService + 1                              00007ffb8f5fae11 11 bytes [B8, 09, 56, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExW + 1                          00007ffb8f5fed61 11 bytes [B8, 49, 54, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigW + 1                        00007ffb8f614021 11 bytes [B8, 49, 5B, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!DeleteService + 1                              00007ffb8f61a1a1 11 bytes [B8, C9, 57, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!ChangeServiceConfigA + 1                        00007ffb8f61de41 11 bytes [B8, 89, 59, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\sechost.dll!ControlServiceExA + 1                          00007ffb8f62ddf1 11 bytes [B8, 89, 52, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!closesocket                                      00007ffb8f1e1be0 12 bytes [48, B8, C9, 9D, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!recv + 1                                        00007ffb8f1e2571 11 bytes [B8, C9, E3, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!WSASend + 1                                      00007ffb8f1e2d61 11 bytes [B8, 89, 9F, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!WSARecv + 1                                      00007ffb8f1e2ff1 11 bytes [B8, 89, E5, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!WSASocketW                                      00007ffb8f1e3880 12 bytes [48, B8, 09, 9C, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!socket + 1                                      00007ffb8f1e3bd1 11 bytes [B8, 89, DE, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoW                                    00007ffb8f1e4230 12 bytes [48, B8, 09, 80, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!connect                                          00007ffb8f1e5730 12 bytes [48, B8, 49, 62, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!GetAddrInfoExW                                  00007ffb8f1e87e0 12 bytes [48, B8, C9, 81, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!send + 1                                        00007ffb8f1f42d1 11 bytes [B8, 49, 9A, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!WSAConnect + 1                                  00007ffb8f1f6fe1 11 bytes [B8, 09, E2, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\system32\WS2_32.dll!gethostbyname + 1                                00007ffb8f2054b1 11 bytes [B8, 89, 83, 27, 59, 00, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQueryEx                                      00007ffb8c494420 12 bytes [48, B8, C9, C0, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_UTF8                                    00007ffb8c4b3cd0 12 bytes [48, B8, 09, BF, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_W                                      00007ffb8c4b4350 12 bytes [48, B8, 49, BD, 27, 59, 00, ...]
.text  C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE[2524] C:\WINDOWS\SYSTEM32\DNSAPI.dll!DnsQuery_A                                      00007ffb8c4efd90 12 bytes [48, B8, 89, BB, 27, 59, 00, ...]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[920] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1              00007ffb8ed70cf1 5 bytes [B8, 30, 08, 4A, 01]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe[920] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7              00007ffb8ed70cf7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe[1052] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1              00007ffb8ed70cf1 5 bytes [B8, 30, 08, F2, 03]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe[1052] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7              00007ffb8ed70cf7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[3992] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1                00007ffb8ed70cf1 5 bytes [B8, 30, 08, E1, 00]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe[3992] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7                00007ffb8ed70cf7 5 bytes [00, 00, 00, 50, C3]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[8072] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 1              00007ffb8ed70cf1 5 bytes [B8, 30, 08, 2B, 02]
.text  C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe[8072] C:\WINDOWS\system32\KERNEL32.DLL!UnhandledExceptionFilter + 7              00007ffb8ed70cf7 5 bytes [00, 00, 00, 50, C3]

---- Threads - GMER 2.1 ----

Thread  C:\WINDOWS\system32\csrss.exe [616:8140]                                                                                                    fffff960008d52d0
Thread  C:\WINDOWS\system32\csrss.exe [616:7924]                                                                                                    fffff960008d52d0
Thread  C:\WINDOWS\system32\csrss.exe [616:7508]                                                                                                    fffff960008d52d0
Thread  C:\WINDOWS\system32\csrss.exe [616:7120]                                                                                                    fffff960008d52d0
Thread  C:\WINDOWS\system32\csrss.exe [616:7832]                                                                                                    fffff960008d52d0
Thread  C:\WINDOWS\system32\csrss.exe [616:4936]                                                                                                    fffff960008d52d0
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [5348:5824]                                                                  00007ffb82cd4094
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [5348:5632]                                                                  00007ffb82cd4094
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [5348:5688]                                                                  00007ffb7110bc60
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5388:5192]                                                                00007ffb82cd4094
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5388:5728]                                                                00007ffb7126f5f8
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5388:5672]                                                                00007ffb82cd4094
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5388:4580]                                                                00007ffb7110bc60
Thread  C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [5388:5740]                                                                00007ffb82cd4094

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                      unknown MBR code

---- EOF - GMER 2.1 ----
--- --- ---

schrauber 24.07.2015 06:27
FRST bitte nochmal, unsere Tools brauchen immer Adminrechte.

DWaKd 24.07.2015 09:06
frst.txt (zum 2ten)
 

FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by Detlev (ATTENTION: The logged in user is not administrator) on OFFICE01 on 22-07-2015 22:23:43
Running from C:\Users\Detlev\Desktop
Loaded Profiles: Admin & Detlev (Available Profiles: Admin & Detlev & Administrator)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> vsserv.exe
Failed to access process -> dwm.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> DisplayLinkManager.exe
Failed to access process -> RtkAudioService64.exe
Failed to access process -> RAVBg64.exe
Failed to access process -> RAVBg64.exe
Failed to access process -> DisplayLinkUserAgent.exe
Failed to access process -> svchost.exe
Failed to access process -> wlanext.exe
Failed to access process -> conhost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> aavus.exe
Failed to access process -> armsvc.exe
Failed to access process -> AERTSr64.exe
Failed to access process -> SkypeC2CAutoUpdateSvc.exe
Failed to access process -> SkypeC2CPNRSvc.exe
Failed to access process -> svchost.exe
Failed to access process -> dasHost.exe
Failed to access process -> DnsBlockUpdateSvc.exe
Failed to access process -> E_WT50RP.EXE
Failed to access process -> EvtEng.exe
Failed to access process -> HeciServer.exe
Failed to access process -> irstrtsv.exe
Failed to access process -> iSCTAgent.exe
Failed to access process -> mbamscheduler.exe
Failed to access process -> mbamservice.exe
Failed to access process -> nsmservice.exe
Failed to access process -> RegSrvc.exe
Failed to access process -> svchost.exe
Failed to access process -> updatesrv.exe
Failed to access process -> WDDriveService.exe
Failed to access process -> ZeroConfigService.exe
Failed to access process -> WDBackupEngine.exe
Failed to access process -> unsecapp.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> svchost.exe
Failed to access process -> WUDFHost.exe
Failed to access process -> WUDFHost.exe
() C:\Windows\Temp\irstrtsv\scrncap.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
Failed to access process -> SearchIndexer.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
Failed to access process -> BbDevMgr.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
Failed to access process -> netsetman.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
Failed to access process -> BTHSAmpPalService.exe
Failed to access process -> devmonsrv.exe
Failed to access process -> obexsrv.exe
Failed to access process -> BTHSSecurityMgr.exe
Failed to access process -> OTBSurvey.exe
Failed to access process -> DeliveryService.exe
Failed to access process -> DellUpService.exe
Failed to access process -> IAStorDataMgrSvc.exe
Failed to access process -> jhi_service.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
Failed to access process -> LMS.exe
Failed to access process -> SftService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe
(Neuber Software) C:\Program Files (x86)\Security Task Manager\TaskMan.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIH3E.EXE
Failed to access process -> svchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
Failed to access process -> taskeng.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-30] (Intel Corporation)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3058848 2012-07-24] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2780400 2014-05-06] (Synaptics Incorporated)
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe [1691112 2015-04-06] (Bitdefender)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4878752 2015-03-19] (Intel(R) Corporation)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498728 2015-06-29] (Adobe Systems Inc.)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [NetSetMan] => C:\Program Files (x86)\NetSetMan\netsetman.exe [6539944 2015-06-16] (Ilja Herlein)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694048 2014-05-23] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-05-20] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-05-01] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2086240 2015-04-28] (Wondershare)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM\...\RunOnce: [ASYNCMAC] => rundll32.exe streamci,StreamingDeviceSetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c},C:\WINDOWS\INF\netrasa.inf,Ndis-Mp-AsyncMac
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-06-18] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [790880 2015-02-25] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [790880 2015-02-25] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [EPLTarget\P0000000000000001] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIH3E.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
Startup: C:\Users\Detlev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk [2014-08-08]
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [S-1-5-21-1058572625-867591187-812149052-1002] => Internet Explorer proxy is enabled.
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.web.de/
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
URLSearchHook: [S-1-5-21-1058572625-867591187-812149052-1001] ATTENTION ==> Default URLSearchHook is missing
SearchScopes: HKLM -> {DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> DefaultScope {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin [2015-07-22] (Download Protect)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Wondershare Video Converter Ultimate 7.1.0 -> {451C804F-C205-4F03-B48E-537EC94937BF} -> C:\PROGRA~3\WONDER~1\VIDEOC~1\WSBROW~1.DLL No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin [2015-07-22] (Download Protect)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-02-25] (Bitdefender)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\pmbxie.dll [2015-02-25] (Bitdefender)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2015-02-25] (Bitdefender)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
Tcpip\..\Interfaces\{72C81EA3-A616-44BB-B316-EA42CE39A066}: [NameServer] 192.168.129.10
Tcpip\..\Interfaces\{F35878CF-4C09-486C-9E84-BB14D36C6750}: [DhcpNameServer] 13.36.0.102

FireFox:
========
FF ProfilePath: C:\Users\Detlev\AppData\Roaming\Mozilla\Firefox\Profiles\tge1794z.default
FF DefaultSearchUrl: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF SelectedSearchEngine: Google
FF SelectedSearchEngine: google
FF Homepage: hxxp://www.google.de?hl=de&gl=de
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=UTF-8&oe=UTF-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF NetworkProxy: "autoconfig_url", "web.de"
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF user.js: detected! => C:\Users\Detlev\AppData\Roaming\Mozilla\Firefox\Profiles\tge1794z.default\user.js [2015-07-22]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: Bitdefender Antispam Toolbar - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext [2015-01-01]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-08-05]
FF HKLM-x32\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff [2015-01-01]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF HKLM-x32\...\Firefox\Extensions: [{CB235133-5305-4E26-8727-256679D3FF57}] - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi [2015-07-20]
FF HKLM-x32\...\Firefox\Extensions: [{434BF744-47E1-45F7-B215-EAE9123E8522}] - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi [2015-07-22]
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-06-29]
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AAV UpdateService; C:\Programme (x86)\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender 2015\bdparentalservice.exe [78144 2015-01-21] (Bitdefender)
R3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\OTBSurvey.exe [145288 2015-04-09] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [10813232 2014-09-08] (DisplayLink Corp.)
R2 DnsBlockUpdateSvc; C:\WINDOWS\system32\DnsBlockUpdateSvc.exe [149024 2015-06-21] ()
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-30] (Intel Corporation)
S2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [131312 2015-03-19] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 irstrtsv; C:\Windows\SysWOW64\irstrtsv.exe [783264 2013-09-09] (Intel Corporation)
R2 ISCTAgent; c:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [198120 2013-08-01] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
S2 lmhosts; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
S2 lmhosts; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-03-19] ()
R2 NlaSvc; C:\Windows\System32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-29] (Microsoft Corporation)
R2 nsmService; C:\Program Files (x86)\NetSetMan\nsmservice.exe [1278632 2015-02-06] (Ilja Herlein)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-12-11] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [1915920 2013-11-22] (SoftThinks SAS)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe [67320 2015-01-01] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [1547936 2015-04-06] (Bitdefender)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2015-05-01] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-05-20] (Western Digital Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3820960 2015-03-19] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-02-25] (BitDefender)
R3 avchv; C:\Windows\system32\DRIVERS\avchv.sys [262544 2015-02-25] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-02-25] (BitDefender)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 BdfNdisf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf6.sys [98768 2015-02-25] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107008 2013-07-29] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [121928 2013-07-02] (Bitdefender SRL)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
S3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1448248 2014-11-26] (Motorola Solutions, Inc.)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
R3 DisplayLinkUsbIo_x64; C:\Windows\System32\drivers\DisplayLinkUsbIo_x64_7.6.54217.0.sys [46384 2014-09-22] ()
R3 dlcdcncm; C:\Windows\system32\DRIVERS\dlcdcncm62_x64.sys [82224 2014-09-08] (DisplayLink Corp.)
R3 dlusbaudio; C:\Windows\system32\DRIVERS\dlusbaudio_x64.sys [206640 2014-09-08] (DisplayLink Corp.)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [160544 2015-04-06] (BitDefender LLC)
S3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-09] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-03] (Intel Corporation)
S3 iaLPSS_SPI; C:\Windows\System32\drivers\iaLPSS_SPI.sys [83960 2013-08-09] (Intel Corporation)
S3 iaLPSS_UART2; C:\Windows\System32\drivers\iaLPSS_UART2.sys [129528 2013-08-09] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [253680 2015-03-19] (Intel Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21408 2013-08-01] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21920 2013-08-01] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-09-09] (Intel Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-08-01] ()
S3 LAN7500; C:\Windows\system32\DRIVERS\lan7500-x64-n630f.sys [96256 2013-04-05] (SMSC)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3497240 2015-03-23] (Intel Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SensorsAlsDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-05-06] (Synaptics Incorporated)
U5 TMUSB; C:\Windows\System32\DRIVERS\TMUSB64.SYS [63096 2014-03-19] (Seiko Epson Corporation)
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [452040 2015-01-01] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S3 btmaux; \SystemRoot\system32\DRIVERS\btmaux.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-22 22:23 - 2015-07-22 22:23 - 00032436 _____ C:\Users\Detlev\Desktop\FRST.txt
2015-07-22 22:23 - 2015-07-22 22:23 - 00000000 ____D C:\FRST
2015-07-22 22:21 - 2015-07-22 22:21 - 00000472 _____ C:\Users\Detlev\Desktop\defogger_disable.log
2015-07-22 22:21 - 2015-07-22 22:21 - 00000000 _____ C:\Users\Admin\defogger_reenable
2015-07-22 22:20 - 2015-07-22 22:08 - 00380416 _____ C:\Users\Detlev\Desktop\Gmer-19357.exe
2015-07-22 22:20 - 2015-07-22 22:07 - 02135552 _____ (Farbar) C:\Users\Detlev\Desktop\FRST64.exe
2015-07-22 22:20 - 2015-07-22 22:04 - 00050477 _____ C:\Users\Detlev\Desktop\Defogger.exe
2015-07-22 20:02 - 2015-07-22 20:02 - 00000000 ____D C:\ProgramData\SecTaskMan
2015-07-22 20:00 - 2015-07-22 20:00 - 00132632 _____ C:\Users\Detlev\AppData\Local\recently-used.xbel
2015-07-22 19:40 - 2015-07-22 19:40 - 00004124 _____ C:\Users\Detlev\Desktop\result2.txt
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}
2015-07-20 21:23 - 2015-07-20 21:29 - 63320784 _____ (Microsoft Corporation) C:\Users\Detlev\Downloads\IE11-Windows6.1-x64-de-de.exe
2015-07-20 21:23 - 2015-07-20 21:24 - 00000000 ___RD C:\Users\Detlev\Favorites - Kopie
2015-07-20 21:13 - 2015-07-20 21:13 - 00063173 _____ C:\Users\Detlev\Desktop\Firefox-bookmarks-2015-07-20.json
2015-07-20 20:58 - 2015-07-20 21:01 - 40945288 _____ C:\Users\Detlev\Downloads\firefox_setup_39.0.exe
2015-07-20 20:53 - 2015-07-14 16:14 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00301056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-07-20 20:53 - 2015-07-14 16:13 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-07-20 20:33 - 2015-07-22 19:11 - 00009297 _____ C:\Users\Detlev\Desktop\Ausgaben Urlaub.xlsx
2015-07-20 11:09 - 2015-07-20 11:10 - 00004385 _____ C:\Users\Detlev\Desktop\result.txt
2015-07-20 03:32 - 2015-07-20 22:09 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-20 03:32 - 2015-07-20 22:07 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 03:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-20 03:32 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-20 03:21 - 2015-07-20 03:25 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Detlev\Desktop\mbam-setup-2.1.6.1022.exe
2015-07-20 02:44 - 2015-07-20 02:44 - 00001784 _____ C:\Users\Detlev\Desktop\Fixlist.txt
2015-07-20 02:32 - 2015-07-20 02:32 - 00000586 _____ C:\Users\Admin\Documents\reg20150720.reg
2015-07-20 01:57 - 2015-07-20 01:57 - 01198368 _____ C:\Users\Detlev\Downloads\Malwarebytes Anti Malware Malware Scanner - CHIP-Installer.exe
2015-07-19 20:32 - 2015-07-19 20:32 - 00001172 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spy Protector.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001149 _____ C:\Users\Public\Desktop\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00000000 ____D C:\Program Files (x86)\Security Task Manager
2015-07-16 21:41 - 2015-07-16 21:41 - 00000000 ____D C:\Users\Detlev\AppData\Local\CEF
2015-07-16 12:45 - 2015-07-16 12:45 - 00000000 ____D C:\Users\Detlev\Downloads\DDA_v16
2015-07-16 12:44 - 2015-07-16 12:44 - 00504083 _____ C:\Users\Detlev\Downloads\DDA_v16.zip
2015-07-16 00:26 - 2015-07-16 00:27 - 41578048 _____ C:\Users\Detlev\Downloads\WEB.DE_Firefox_Setup(1).exe
2015-07-15 10:38 - 2015-06-28 07:07 - 00442712 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2015-07-15 10:38 - 2015-06-28 07:07 - 00178008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-07-15 10:38 - 2015-06-28 07:06 - 01311960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2015-07-15 10:38 - 2015-06-28 07:06 - 00332120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2015-07-15 10:38 - 2015-06-27 18:42 - 00747520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll
2015-07-15 10:38 - 2015-06-27 05:13 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00284672 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2015-07-15 10:38 - 2015-06-27 04:40 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-07-15 10:38 - 2015-06-27 04:05 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-07-15 10:38 - 2015-06-27 04:00 - 00989184 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2015-07-15 10:38 - 2015-06-27 03:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-07-15 10:38 - 2015-06-27 03:26 - 00802816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2015-07-15 10:38 - 2015-06-25 04:31 - 04177920 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-07-15 10:38 - 2015-06-16 00:41 - 00065024 _____ (Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
2015-07-15 10:38 - 2015-06-16 00:24 - 03320320 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2015-07-15 10:38 - 2015-06-15 23:16 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msiexec.exe
2015-07-15 10:38 - 2015-06-15 23:09 - 03607552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2015-07-15 10:38 - 2015-06-15 22:50 - 02774528 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-07-15 10:38 - 2015-06-15 21:57 - 02460160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-07-15 10:37 - 2015-06-16 00:39 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-07-15 10:37 - 2015-06-16 00:38 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-16 00:26 - 00633856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-07-15 10:37 - 2015-06-16 00:24 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-07-15 10:37 - 2015-06-16 00:02 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdc.ocx
2015-07-15 10:37 - 2015-06-15 23:58 - 00199680 _____ (Microsoft Corporation) C:\WINDOWS\system32\msrating.dll
2015-07-15 10:37 - 2015-06-15 23:57 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 23:56 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2015-07-15 10:37 - 2015-06-15 23:55 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 23:49 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 23:41 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-07-15 10:37 - 2015-06-15 23:38 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 23:36 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 23:17 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 23:16 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-07-15 10:37 - 2015-06-15 23:15 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-07-15 10:37 - 2015-06-15 23:13 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-15 23:04 - 00478208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-07-15 10:37 - 2015-06-15 23:03 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-07-15 10:37 - 2015-06-15 22:52 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-07-15 10:37 - 2015-06-15 22:47 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdc.ocx
2015-07-15 10:37 - 2015-06-15 22:44 - 00168960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msrating.dll
2015-07-15 10:37 - 2015-06-15 22:43 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 22:42 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-07-15 10:37 - 2015-06-15 22:41 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 22:37 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 22:32 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-07-15 10:37 - 2015-06-15 22:31 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 22:30 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 22:30 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-07-15 10:37 - 2015-06-15 22:17 - 01048576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 22:07 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-07-15 10:37 - 2015-06-15 22:02 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-07-15 10:37 - 2015-05-30 23:18 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-07-15 10:37 - 2015-05-30 21:36 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-07-15 10:37 - 2015-05-30 21:35 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-07-15 10:36 - 2015-07-02 23:21 - 19877376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:50 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:49 - 25193984 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:23 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:19 - 12855296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-07-15 10:36 - 2015-07-02 21:55 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-07-15 10:36 - 2015-07-02 21:20 - 14453248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-07-15 10:36 - 2015-07-02 20:59 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-07-15 10:36 - 2015-07-02 00:08 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-07-15 10:36 - 2015-07-01 23:14 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01661576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01212248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2015-07-15 10:36 - 2015-06-11 05:49 - 01380600 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-07-15 10:36 - 2015-06-10 18:13 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-07-14 23:25 - 2015-07-14 23:25 - 00000000 ____D C:\Users\Admin\AppData\Roaming\PDF Architect 3
2015-07-14 23:09 - 2015-07-14 23:10 - 00000000 ____D C:\Users\Detlev\AppData\Local\PDFCreator
2015-07-14 23:07 - 2015-07-14 23:07 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\PDF Architect 3
2015-07-14 23:06 - 2015-07-14 23:25 - 00000000 ____D C:\ProgramData\PDF Architect 3
2015-07-14 22:56 - 2015-07-14 22:58 - 28754952 _____ (pdfforge GmbH) C:\Users\Detlev\Downloads\PDFCreator-2_1_2-setup.exe
2015-07-14 14:06 - 2015-07-14 14:07 - 03966968 _____ (Ilja Herlein ) C:\Users\Detlev\Downloads\netsetman_setup_403.exe
2015-07-09 08:53 - 2015-07-09 08:53 - 00000000 ____D C:\Program Files (x86)\Dell Update
2015-07-01 10:03 - 2015-07-01 10:03 - 00000000 ____D C:\Users\Detlev\Documents\Steuerfälle
2015-06-28 20:29 - 2015-06-28 20:30 - 02861525 _____ C:\Users\Detlev\Downloads\picozip-recovery-tool_13451.exe
2015-06-25 22:43 - 2015-06-25 22:45 - 00000000 ____D C:\RecoveryTest
2015-06-24 01:29 - 2015-06-24 01:29 - 01217192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FM20.DLL
2015-06-24 00:34 - 2015-06-24 00:34 - 00000000 ____D C:\Program Files\Western Digital
2015-06-23 19:01 - 2015-06-23 19:01 - 01124072 _____ (Adobe Systems Incorporated) C:\Users\Detlev\Downloads\readerdc_de_ha_install.exe
2015-06-23 18:58 - 2015-07-16 21:38 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-06-23 18:58 - 2015-06-23 18:58 - 00002069 _____ C:\Users\Public\Desktop\Acrobat Reader DC.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-22 22:21 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Admin
2015-07-22 22:19 - 2014-08-22 13:32 - 00000884 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-07-22 22:00 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-22 20:53 - 2014-07-31 23:47 - 00000000 ____D C:\Users\Detlev\.gimp-2.8
2015-07-22 20:01 - 2013-12-13 21:17 - 02019531 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-22 19:57 - 2015-05-29 22:06 - 00019937 _____ C:\WINDOWS\setupact.log
2015-07-22 19:56 - 2014-09-14 03:13 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\vlc
2015-07-22 19:56 - 2014-01-04 02:00 - 00000000 ____D C:\Users\Detlev\AppData\Local\CrashDumps
2015-07-22 19:13 - 2013-12-13 21:19 - 01789004 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-22 19:13 - 2013-08-23 01:24 - 00770130 _____ C:\WINDOWS\system32\perfh007.dat
2015-07-22 19:13 - 2013-08-23 01:24 - 00160912 _____ C:\WINDOWS\system32\perfc007.dat
2015-07-22 19:08 - 2013-12-13 21:30 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-07-22 19:06 - 2015-05-29 09:49 - 00008192 _____ C:\WINDOWS\SysWOW64\WDPABKP.dat
2015-07-22 19:06 - 2013-08-22 16:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-22 18:32 - 2015-06-21 19:20 - 00000306 __RSH C:\ProgramData\ntuser.pol
2015-07-22 00:52 - 2014-08-06 14:25 - 00019433 _____ C:\Users\Detlev\AppData\Roaming\Rim.Desktop.Exception.log
2015-07-22 00:52 - 2014-08-06 14:25 - 00006083 _____ C:\Users\Detlev\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-07-21 22:20 - 2015-05-29 20:56 - 00000000 ____D C:\Users\Detlev\Documents\Privat
2015-07-21 20:07 - 2014-07-31 23:48 - 00000000 ____D C:\Users\Detlev\AppData\Local\gtk-2.0
2015-07-21 11:48 - 2013-12-27 13:02 - 00000000 ____D C:\Users\Detlev\Documents\Bank
2015-07-20 22:30 - 2015-05-29 22:06 - 00014624 _____ C:\WINDOWS\PFRO.log
2015-07-20 22:30 - 2013-08-22 16:44 - 00481592 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-20 22:28 - 2013-08-22 17:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-07-20 21:23 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Detlev
2015-07-20 02:02 - 2014-08-09 18:26 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-20 00:51 - 2015-06-21 18:04 - 00000000 ____D C:\Users\Detlev\AppData\Local\Windows Live
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-07-19 12:39 - 2015-02-23 22:14 - 00000000 ____D C:\ProgramData\Oracle
2015-07-19 12:38 - 2015-04-27 22:54 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2015-07-19 12:38 - 2015-02-23 22:14 - 00000000 ____D C:\Program Files (x86)\Java
2015-07-18 10:37 - 2013-12-27 13:12 - 00000000 ____D C:\Users\Detlev\Documents\Reise
2015-07-17 19:02 - 2014-08-05 13:33 - 00002523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Standard.lnk
2015-07-17 19:02 - 2014-08-05 13:33 - 00002071 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2015-07-16 13:03 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-16 11:16 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-07-15 15:29 - 2014-07-30 00:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-07-15 15:28 - 2014-07-30 01:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-07-14 23:08 - 2014-07-29 23:59 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSetMan
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\Program Files (x86)\NetSetMan
2015-07-14 11:42 - 2014-11-07 00:46 - 00000000 ____D C:\Users\Detlev\Documents\Elternbeirat
2015-07-13 23:10 - 2013-08-22 17:38 - 00792568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-07-13 23:10 - 2013-08-22 17:38 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-09 08:53 - 2013-12-13 21:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-07-03 08:43 - 2014-07-30 01:06 - 130333168 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-25 21:34 - 2014-07-30 06:21 - 00000000 ____D C:\Users\Detlev\AppData\Local\Adobe
2015-06-25 21:13 - 2014-08-31 23:34 - 00000000 ____D C:\Users\Admin\AppData\Local\Adobe
2015-06-24 00:34 - 2015-05-30 15:07 - 00000000 ____D C:\Program Files\Common Files\Western Digital
2015-06-24 00:34 - 2015-05-29 22:40 - 00024104 _____ C:\WINDOWS\DPINST.LOG
2015-06-24 00:34 - 2015-05-29 09:49 - 00000000 ____D C:\Program Files (x86)\Western Digital
2015-06-24 00:34 - 2015-05-29 09:48 - 00000000 ____D C:\ProgramData\Western Digital
2015-06-23 23:39 - 2014-07-29 23:20 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\Adobe
2015-06-23 18:58 - 2014-07-29 23:37 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-06-23 18:57 - 2014-07-29 23:37 - 00000000 ____D C:\ProgramData\Adobe
2015-06-22 08:32 - 2015-04-12 20:42 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-06-22 08:32 - 2014-11-20 11:10 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-06-22 08:32 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\WinStore

==================== Files in the root of some directories =======

2015-01-08 17:39 - 2015-01-08 17:39 - 0021886 _____ () C:\Users\Detlev\AppData\Roaming\Kommagetrennte Werte (DOS).ADR
2015-03-13 20:06 - 2015-03-13 20:06 - 0022446 _____ () C:\Users\Detlev\AppData\Roaming\Kommagetrennte Werte (Windows).ADR
2014-10-04 22:30 - 2014-10-04 22:30 - 0038446 _____ () C:\Users\Detlev\AppData\Roaming\Microsoft Excel 97-2003.ADR
2014-08-06 14:25 - 2015-07-22 00:52 - 0019433 _____ () C:\Users\Detlev\AppData\Roaming\Rim.Desktop.Exception.log
2014-08-06 14:25 - 2015-07-22 00:52 - 0006083 _____ () C:\Users\Detlev\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-01-08 17:45 - 2015-01-08 17:45 - 0022608 _____ () C:\Users\Detlev\AppData\Roaming\Tabulatorgetrennte Werte (DOS).ADR
2015-07-22 20:00 - 2015-07-22 20:00 - 0132632 _____ () C:\Users\Detlev\AppData\Local\recently-used.xbel
2014-05-12 11:33 - 2014-05-12 11:33 - 0000017 _____ () C:\Users\Detlev\AppData\Local\resmon.resmoncfg
2015-01-01 17:34 - 2015-01-01 17:34 - 2363650 _____ () C:\ProgramData\1420126384.bdinstall.bin
2013-12-13 21:12 - 2013-12-13 21:12 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\Admin\AppData\Local\Temp\DseShExt-x64.dll
C:\Users\Admin\AppData\Local\Temp\DseShExt-x86.dll
C:\Users\Admin\AppData\Local\Temp\SDShelEx-win32.dll
C:\Users\Admin\AppData\Local\Temp\SDShelEx-x64.dll
C:\Users\Detlev\AppData\Local\Temp\jre-8u51-windows-au.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================
--- --- ---

schrauber 24.07.2015 16:30
ehm....soll ein Scherz sein oder? :)
Immer noch noch Adminrechte.......

DWaKd 24.07.2015 18:11
Hallo,

verstehe nicht, wo die Admin-Recht herkommen. Habe das so gemacht, wie die anderen Dateien auch. Was muss ich tun?

Gruß
Detlev

-----Ursprüngliche Nachricht-----
Von: Trojaner-Board [mailto:pz@trojaner-board.de]
Gesendet: Freitag, 24. Juli 2015 17:31
An: detlev.wagner@web.de


FRST Logfile:
Code:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-07-2015
Ran by Admin (administrator) on OFFICE01 on 24-07-2015 19:09:17
Running from E:\TrojanerBoard
Loaded Profiles: Admin & Detlev (Available Profiles: Admin & Detlev & Administrator)
Platform: Windows 8.1 (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\Programme (x86)\AAVUpdateManager\aavus.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
() C:\Windows\System32\DnsBlockUpdateSvc.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\SysWOW64\irstrtsv.exe
() C:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Ilja Herlein) C:\Program Files (x86)\NetSetMan\nsmservice.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel(R) Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\OTBSurvey.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(Intel Corporation) C:\Windows\Temp\irstrtsv\scrncap.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwtxapps.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Ilja Herlein) C:\Program Files (x86)\NetSetMan\netsetman.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-30] (Intel Corporation)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3058848 2012-07-24] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2780400 2014-05-06] (Synaptics Incorporated)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IntelPROSet] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [4878752 2015-03-19] (Intel(R) Corporation)
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdagent.exe [1641648 2014-06-17] (Bitdefender)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498728 2015-06-29] (Adobe Systems Inc.)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2014-02-13] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [NetSetMan] => C:\Program Files (x86)\NetSetMan\netsetman.exe [6539944 2015-06-16] (Ilja Herlein)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1694048 2014-05-23] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-05-20] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5564784 2015-05-01] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2086240 2015-04-28] (Wondershare)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM\...\RunOnce: [ASYNCMAC] => rundll32.exe streamci,StreamingDeviceSetup {eeab7790-c514-11d1-b42b-00805fc1270e},asyncmac,{ad498944-762f-11d0-8dcb-00c04fc3358c},C:\WINDOWS\INF\netrasa.inf,Ndis-Mp-AsyncMac
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2015-06-18] (Malwarebytes Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [881032 2014-06-18] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [Bitdefender-Geldb�rse-Agent] => C:\Program Files\Bitdefender\Bitdefender 2015\bdwtxag.exe [881032 2014-06-18] (Bitdefender)
HKU\S-1-5-21-1058572625-867591187-812149052-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7416088 2015-02-19] (Piriform Ltd)
Startup: C:\Users\Detlev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk [2014-08-08]
ShortcutTarget: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\WINDOWS\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [S-1-5-21-1058572625-867591187-812149052-1002] => Internet Explorer proxy is enabled.
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1001 -> {3D41F773-C2A2-4541-8F58-DF94FA1311D3} URL = hxxp://search.yahoo.com/search?ei=utf-8&fr=chr-vmn&type=photopos2_0yach&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1001 -> {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> DefaultScope {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> {57CF7BF6-6348-4154-A75E-48E42BDB3AF5} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin [2015-07-22] (Download Protect)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin [2015-07-22] (Download Protect)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-07-19] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2014-06-18] (Bitdefender)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\Antispam32\pmbxie.dll [2014-06-18] (Bitdefender)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1001 -> Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2014-06-18] (Bitdefender)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1058572625-867591187-812149052-1002 -> Bitdefender-Geldbörse - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender 2015\pmbxie.dll [2014-06-18] (Bitdefender)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-05-01] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-05-01] (Microsoft Corporation)
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
Tcpip\..\Interfaces\{72C81EA3-A616-44BB-B316-EA42CE39A066}: [NameServer] 192.168.129.10
Tcpip\..\Interfaces\{F35878CF-4C09-486C-9E84-BB14D36C6750}: [DhcpNameServer] 13.36.0.102

FireFox:
========
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default
FF DefaultSearchUrl: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Google
FF SelectedSearchEngine: google
FF Homepage: hxxp://www.google.de?hl=de&gl=de
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=UTF-8&oe=UTF-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 1
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04-28] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-07-19] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-05] (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2012-12-13] ()
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-07-03] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2014-04-28] (Adobe Systems)
FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\user.js [2015-07-22]
FF Extension: WEB.DE MailCheck - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\Extensions\mailcheck@web.de [2015-06-21]
FF Extension: WEB.DE MailCheck - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\Extensions\toolbar@web.de [2015-07-20]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: Bitdefender Antispam Toolbar - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext [2015-07-22]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-08-05]
FF HKLM-x32\...\Firefox\Extensions: [bdwteff@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff [2015-07-22]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com
FF HKLM-x32\...\Firefox\Extensions: [{CB235133-5305-4E26-8727-256679D3FF57}] - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi [2015-07-20]
FF HKLM-x32\...\Firefox\Extensions: [{434BF744-47E1-45F7-B215-EAE9123E8522}] - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi [2015-07-22]
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender 2015\bdtbext
FF Extension: No Name - C:\WINDOWS\Installer\{99D755A3-4ECD-4D83-9CA0-615EA62D70DA}\{4CC98C2D-7923-446E-B20F-C47DE4EF419B}.xpi [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-06-29]
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - https://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AAV UpdateService; C:\Programme (x86)\AAVUpdateManager\aavus.exe [128296 2008-10-24] ()
S4 BdDesktopParental; C:\Program Files\Bitdefender\Bitdefender 2015\bdparentalservice.exe [77632 2014-06-06] (Bitdefender)
R3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-29] (Microsoft Corporation)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1394816 2015-05-01] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1772672 2015-05-01] (Microsoft Corporation)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\OTBSurvey.exe [145288 2015-04-09] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [10813232 2014-09-08] (DisplayLink Corp.)
R2 DnsBlockUpdateSvc; C:\WINDOWS\system32\DnsBlockUpdateSvc.exe [149024 2015-06-21] ()
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-30] (Intel Corporation)
S2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [131312 2015-03-19] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 irstrtsv; C:\Windows\SysWOW64\irstrtsv.exe [783264 2013-09-09] (Intel Corporation)
R2 ISCTAgent; c:\Program Files\Intel\Intel(R) Smart Connect Technology Agent\iSCTAgent.exe [198120 2013-08-01] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-03-19] ()
R2 nsmService; C:\Program Files (x86)\NetSetMan\nsmservice.exe [1278632 2015-02-06] (Ilja Herlein)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [292568 2014-12-11] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [1915920 2013-11-22] (SoftThinks SAS)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2015\updatesrv.exe [67320 2014-06-12] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2015\vsserv.exe [1512392 2014-06-13] (Bitdefender)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2015-05-01] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-05-20] (Western Digital Technologies, Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3820960 2015-03-19] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-02-25] (BitDefender)
R3 avchv; C:\Windows\system32\DRIVERS\avchv.sys [262544 2015-02-25] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-02-25] (BitDefender)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 BdfNdisf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfndisf6.sys [98768 2015-07-23] (BitDefender LLC)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107008 2013-07-29] (BitDefender LLC)
S3 bdfwfpf_pc; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf_pc.sys [121928 2013-07-02] (Bitdefender SRL)
S3 BDSandBox; C:\WINDOWS\system32\drivers\bdsandbox.sys [82824 2015-07-23] (BitDefender SRL)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
S3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1448248 2014-11-26] (Motorola Solutions, Inc.)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
R3 DisplayLinkUsbIo_x64; C:\Windows\System32\drivers\DisplayLinkUsbIo_x64_7.6.54217.0.sys [46384 2014-09-22] ()
R3 dlcdcncm; C:\Windows\system32\DRIVERS\dlcdcncm62_x64.sys [82224 2014-09-08] (DisplayLink Corp.)
R3 dlusbaudio; C:\Windows\system32\DRIVERS\dlusbaudio_x64.sys [206640 2014-09-08] (DisplayLink Corp.)
R3 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [160544 2015-07-23] (BitDefender LLC)
S3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-09] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-03] (Intel Corporation)
S3 iaLPSS_SPI; C:\Windows\System32\drivers\iaLPSS_SPI.sys [83960 2013-08-09] (Intel Corporation)
S3 iaLPSS_UART2; C:\Windows\System32\drivers\iaLPSS_UART2.sys [129528 2013-08-09] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [253680 2015-03-19] (Intel Corporation)
R3 ikbevent; C:\Windows\system32\DRIVERS\ikbevent.sys [21408 2013-08-01] ()
R3 imsevent; C:\Windows\system32\DRIVERS\imsevent.sys [21920 2013-08-01] ()
R3 INETMON; C:\Windows\System32\Drivers\INETMON.sys [29088 2013-08-01] ()
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-09-09] (Intel Corporation)
R3 ISCT; C:\Windows\System32\drivers\ISCTD64.sys [46568 2013-08-01] ()
S3 LAN7500; C:\Windows\system32\DRIVERS\lan7500-x64-n630f.sys [96256 2013-04-05] (SMSC)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [113880 2015-07-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [99288 2013-12-19] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3497240 2015-03-23] (Intel Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 SensorsAlsDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-29] (Microsoft Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-05-06] (Synaptics Incorporated)
U5 TMUSB; C:\Windows\System32\DRIVERS\TMUSB64.SYS [63096 2014-03-19] (Seiko Epson Corporation)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [452040 2015-07-23] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)
S3 btmaux; \SystemRoot\system32\DRIVERS\btmaux.sys [X]
U3 pwtyapod; \??\C:\Users\Admin\AppData\Local\Temp\pwtyapod.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-24 18:52 - 2015-07-24 18:52 - 00158209 _____ C:\Users\Detlev\AppData\Local\recently-used.xbel
2015-07-22 22:51 - 2015-07-22 22:51 - 00481437 _____ C:\Users\Detlev\Desktop\gmer.txt
2015-07-22 22:38 - 2015-07-23 09:16 - 00160544 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2015-07-22 22:38 - 2015-07-23 09:15 - 00452040 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\trufos.sys
2015-07-22 22:38 - 2015-07-22 22:38 - 00478395 _____ C:\ProgramData\1437597482.bdinstall.bin
2015-07-22 22:38 - 2015-07-22 22:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender 2015
2015-07-22 22:24 - 2015-07-22 22:24 - 00028515 _____ C:\Users\Detlev\Desktop\Addition.txt
2015-07-22 22:23 - 2015-07-24 19:09 - 00000000 ____D C:\FRST
2015-07-22 22:23 - 2015-07-22 22:24 - 00054151 _____ C:\Users\Detlev\Desktop\FRST.txt
2015-07-22 22:21 - 2015-07-22 22:21 - 00000472 _____ C:\Users\Detlev\Desktop\defogger_disable.log
2015-07-22 22:21 - 2015-07-22 22:21 - 00000000 _____ C:\Users\Admin\defogger_reenable
2015-07-22 22:20 - 2015-07-22 22:08 - 00380416 _____ C:\Users\Detlev\Desktop\Gmer-19357.exe
2015-07-22 22:20 - 2015-07-22 22:07 - 02135552 _____ (Farbar) C:\Users\Detlev\Desktop\FRST64.exe
2015-07-22 22:20 - 2015-07-22 22:04 - 00050477 _____ C:\Users\Detlev\Desktop\Defogger.exe
2015-07-22 20:02 - 2015-07-22 22:25 - 00000000 ____D C:\ProgramData\SecTaskMan
2015-07-22 19:40 - 2015-07-22 19:40 - 00004124 _____ C:\Users\Detlev\Desktop\result2.txt
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}
2015-07-22 18:32 - 2015-07-22 18:32 - 00000000 ____D C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}
2015-07-20 21:23 - 2015-07-20 21:29 - 63320784 _____ (Microsoft Corporation) C:\Users\Detlev\Downloads\IE11-Windows6.1-x64-de-de.exe
2015-07-20 21:23 - 2015-07-20 21:24 - 00000000 ___RD C:\Users\Detlev\Favorites - Kopie
2015-07-20 21:13 - 2015-07-20 21:13 - 00063173 _____ C:\Users\Detlev\Desktop\Firefox-bookmarks-2015-07-20.json
2015-07-20 20:58 - 2015-07-20 21:01 - 40945288 _____ C:\Users\Detlev\Downloads\firefox_setup_39.0.exe
2015-07-20 20:53 - 2015-07-14 16:14 - 00358912 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00301056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2015-07-20 20:53 - 2015-07-14 16:14 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2015-07-20 20:53 - 2015-07-14 16:13 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2015-07-20 20:33 - 2015-07-22 19:11 - 00009297 _____ C:\Users\Detlev\Desktop\Ausgaben Urlaub.xlsx
2015-07-20 11:09 - 2015-07-20 11:10 - 00004385 _____ C:\Users\Detlev\Desktop\result.txt
2015-07-20 03:32 - 2015-07-20 22:09 - 00113880 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-20 03:32 - 2015-07-20 22:07 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 22:07 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-07-20 03:32 - 2015-07-20 03:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-07-20 03:32 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-20 03:32 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-20 03:21 - 2015-07-20 03:25 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Detlev\Desktop\mbam-setup-2.1.6.1022.exe
2015-07-20 02:44 - 2015-07-20 02:44 - 00001784 _____ C:\Users\Detlev\Desktop\Fixlist.txt
2015-07-20 02:32 - 2015-07-20 02:32 - 00000586 _____ C:\Users\Admin\Documents\reg20150720.reg
2015-07-20 01:57 - 2015-07-20 01:57 - 01198368 _____ C:\Users\Detlev\Downloads\Malwarebytes Anti Malware Malware Scanner - CHIP-Installer.exe
2015-07-19 20:32 - 2015-07-19 20:32 - 00001172 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spy Protector.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00001149 _____ C:\Users\Public\Desktop\Security Task Manager.lnk
2015-07-19 20:32 - 2015-07-19 20:32 - 00000000 ____D C:\Program Files (x86)\Security Task Manager
2015-07-16 21:41 - 2015-07-16 21:41 - 00000000 ____D C:\Users\Detlev\AppData\Local\CEF
2015-07-16 12:45 - 2015-07-16 12:45 - 00000000 ____D C:\Users\Detlev\Downloads\DDA_v16
2015-07-16 12:44 - 2015-07-16 12:44 - 00504083 _____ C:\Users\Detlev\Downloads\DDA_v16.zip
2015-07-16 00:26 - 2015-07-16 00:27 - 41578048 _____ C:\Users\Detlev\Downloads\WEB.DE_Firefox_Setup(1).exe
2015-07-15 10:38 - 2015-06-28 07:07 - 00442712 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2015-07-15 10:38 - 2015-06-28 07:07 - 00178008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-07-15 10:38 - 2015-06-28 07:06 - 01311960 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2015-07-15 10:38 - 2015-06-28 07:06 - 00332120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2015-07-15 10:38 - 2015-06-27 18:42 - 00747520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll
2015-07-15 10:38 - 2015-06-27 05:13 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2015-07-15 10:38 - 2015-06-27 05:12 - 00284672 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2015-07-15 10:38 - 2015-06-27 04:40 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-07-15 10:38 - 2015-06-27 04:05 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-07-15 10:38 - 2015-06-27 04:00 - 00989184 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2015-07-15 10:38 - 2015-06-27 03:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-07-15 10:38 - 2015-06-27 03:26 - 00802816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2015-07-15 10:38 - 2015-06-25 04:31 - 04177920 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-07-15 10:38 - 2015-06-16 00:41 - 00065024 _____ (Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
2015-07-15 10:38 - 2015-06-16 00:24 - 03320320 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2015-07-15 10:38 - 2015-06-15 23:16 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msiexec.exe
2015-07-15 10:38 - 2015-06-15 23:09 - 03607552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2015-07-15 10:38 - 2015-06-15 22:50 - 02774528 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2015-07-15 10:38 - 2015-06-15 21:57 - 02460160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2015-07-15 10:37 - 2015-06-16 00:39 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-07-15 10:37 - 2015-06-16 00:38 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-16 00:26 - 00633856 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-07-15 10:37 - 2015-06-16 00:24 - 00816640 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-07-15 10:37 - 2015-06-16 00:02 - 00087552 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdc.ocx
2015-07-15 10:37 - 2015-06-15 23:58 - 00199680 _____ (Microsoft Corporation) C:\WINDOWS\system32\msrating.dll
2015-07-15 10:37 - 2015-06-15 23:57 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 23:56 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2015-07-15 10:37 - 2015-06-15 23:55 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 23:49 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 23:41 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-07-15 10:37 - 2015-06-15 23:38 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 23:36 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 23:17 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 23:16 - 02427392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-07-15 10:37 - 2015-06-15 23:15 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-07-15 10:37 - 2015-06-15 23:13 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-07-15 10:37 - 2015-06-15 23:04 - 00478208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-07-15 10:37 - 2015-06-15 23:03 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-07-15 10:37 - 2015-06-15 22:52 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-07-15 10:37 - 2015-06-15 22:47 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdc.ocx
2015-07-15 10:37 - 2015-06-15 22:44 - 00168960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msrating.dll
2015-07-15 10:37 - 2015-06-15 22:43 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-07-15 10:37 - 2015-06-15 22:42 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-07-15 10:37 - 2015-06-15 22:41 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-07-15 10:37 - 2015-06-15 22:37 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-07-15 10:37 - 2015-06-15 22:32 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-07-15 10:37 - 2015-06-15 22:31 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-07-15 10:37 - 2015-06-15 22:30 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-07-15 10:37 - 2015-06-15 22:30 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-07-15 10:37 - 2015-06-15 22:17 - 01048576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\actxprxy.dll
2015-07-15 10:37 - 2015-06-15 22:07 - 01951232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-07-15 10:37 - 2015-06-15 22:02 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-07-15 10:37 - 2015-05-30 23:18 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-07-15 10:37 - 2015-05-30 21:36 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-07-15 10:37 - 2015-05-30 21:35 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-07-15 10:36 - 2015-07-02 23:21 - 19877376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:50 - 02279424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:49 - 25193984 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-07-15 10:36 - 2015-07-02 22:23 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-07-15 10:36 - 2015-07-02 22:19 - 12855296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-07-15 10:36 - 2015-07-02 21:55 - 01310720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-07-15 10:36 - 2015-07-02 21:20 - 14453248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-07-15 10:36 - 2015-07-02 20:59 - 01545728 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-07-15 10:36 - 2015-07-02 00:08 - 05923840 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-07-15 10:36 - 2015-07-01 23:14 - 04520448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01661576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2015-07-15 10:36 - 2015-06-16 07:36 - 01212248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2015-07-15 10:36 - 2015-06-11 05:49 - 01380600 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-07-15 10:36 - 2015-06-10 18:13 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-07-14 23:25 - 2015-07-14 23:25 - 00000000 ____D C:\Users\Admin\AppData\Roaming\PDF Architect 3
2015-07-14 23:09 - 2015-07-14 23:10 - 00000000 ____D C:\Users\Detlev\AppData\Local\PDFCreator
2015-07-14 23:07 - 2015-07-14 23:07 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\PDF Architect 3
2015-07-14 23:06 - 2015-07-14 23:25 - 00000000 ____D C:\ProgramData\PDF Architect 3
2015-07-14 22:56 - 2015-07-14 22:58 - 28754952 _____ (pdfforge GmbH) C:\Users\Detlev\Downloads\PDFCreator-2_1_2-setup.exe
2015-07-14 14:06 - 2015-07-14 14:07 - 03966968 _____ (Ilja Herlein ) C:\Users\Detlev\Downloads\netsetman_setup_403.exe
2015-07-09 08:53 - 2015-07-09 08:53 - 00000000 ____D C:\Program Files (x86)\Dell Update
2015-07-01 10:03 - 2015-07-01 10:03 - 00000000 ____D C:\Users\Detlev\Documents\Steuerfälle
2015-06-28 20:29 - 2015-06-28 20:30 - 02861525 _____ C:\Users\Detlev\Downloads\picozip-recovery-tool_13451.exe
2015-06-25 22:43 - 2015-06-25 22:45 - 00000000 ____D C:\RecoveryTest
2015-06-24 01:29 - 2015-06-24 01:29 - 01217192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FM20.DLL
2015-06-24 00:34 - 2015-06-24 00:34 - 00000000 ____D C:\Program Files\Western Digital

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-24 19:02 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-07-24 18:53 - 2014-07-31 23:47 - 00000000 ____D C:\Users\Detlev\.gimp-2.8
2015-07-24 18:26 - 2014-07-31 23:48 - 00000000 ____D C:\Users\Detlev\AppData\Local\gtk-2.0
2015-07-24 12:26 - 2014-09-14 03:13 - 00000000 ____D C:\Users\Detlev\AppData\Roaming\vlc
2015-07-24 12:26 - 2014-01-04 02:00 - 00000000 ____D C:\Users\Detlev\AppData\Local\CrashDumps
2015-07-24 10:43 - 2013-12-13 21:17 - 01116388 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-23 09:16 - 2014-07-30 06:26 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1058572625-867591187-812149052-1002
2015-07-23 09:15 - 2015-02-25 15:53 - 00082824 _____ (BitDefender SRL) C:\WINDOWS\system32\Drivers\bdsandbox.sys
2015-07-23 09:15 - 2015-01-01 17:33 - 00084848 _____ (BitDefender SRL) C:\WINDOWS\system32\bdsandboxuiskin.dll.upd
2015-07-23 09:15 - 2015-01-01 17:33 - 00033360 _____ (BitDefender SRL) C:\WINDOWS\system32\bdsandboxuh.dll.upd
2015-07-22 22:39 - 2013-08-22 15:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2015-07-22 22:38 - 2015-01-01 17:34 - 00002215 _____ C:\Users\Public\Desktop\Bitdefender Internet Security.lnk
2015-07-22 22:38 - 2015-01-01 17:34 - 00000000 ____D C:\Users\Admin\AppData\Roaming\Bitdefender
2015-07-22 22:38 - 2015-01-01 17:33 - 00000000 ____D C:\ProgramData\Bitdefender
2015-07-22 22:38 - 2015-01-01 17:31 - 00000000 ____D C:\Program Files\Common Files\Bitdefender
2015-07-22 22:21 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Admin
2015-07-22 22:19 - 2014-08-22 13:32 - 00000884 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-07-22 19:57 - 2015-05-29 22:06 - 00019937 _____ C:\WINDOWS\setupact.log
2015-07-22 19:13 - 2013-12-13 21:19 - 01789004 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-07-22 19:13 - 2013-08-23 01:24 - 00770130 _____ C:\WINDOWS\system32\perfh007.dat
2015-07-22 19:13 - 2013-08-23 01:24 - 00160912 _____ C:\WINDOWS\system32\perfc007.dat
2015-07-22 19:08 - 2013-12-13 21:30 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-07-22 19:06 - 2015-05-29 09:49 - 00008192 _____ C:\WINDOWS\SysWOW64\WDPABKP.dat
2015-07-22 19:06 - 2013-08-22 16:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-22 18:32 - 2015-06-21 19:20 - 00000306 __RSH C:\ProgramData\ntuser.pol
2015-07-22 00:52 - 2014-08-06 14:25 - 00019433 _____ C:\Users\Detlev\AppData\Roaming\Rim.Desktop.Exception.log
2015-07-22 00:52 - 2014-08-06 14:25 - 00006083 _____ C:\Users\Detlev\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-07-21 22:20 - 2015-05-29 20:56 - 00000000 ____D C:\Users\Detlev\Documents\Privat
2015-07-21 11:48 - 2013-12-27 13:02 - 00000000 ____D C:\Users\Detlev\Documents\Bank
2015-07-20 22:30 - 2015-05-29 22:06 - 00014624 _____ C:\WINDOWS\PFRO.log
2015-07-20 22:30 - 2013-08-22 16:44 - 00481592 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-07-20 22:28 - 2013-08-22 17:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-07-20 21:23 - 2014-07-29 23:16 - 00000000 ____D C:\Users\Detlev
2015-07-20 02:02 - 2014-08-09 18:26 - 00000000 ____D C:\ProgramData\Package Cache
2015-07-20 01:08 - 2013-08-22 15:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2015-07-20 00:51 - 2015-06-21 18:04 - 00000000 ____D C:\Users\Detlev\AppData\Local\Windows Live
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-07-20 00:13 - 2015-03-29 17:32 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-07-19 12:39 - 2015-02-23 22:14 - 00000000 ____D C:\ProgramData\Oracle
2015-07-19 12:38 - 2015-04-27 22:54 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2015-07-19 12:38 - 2015-02-23 22:14 - 00000000 ____D C:\Program Files (x86)\Java
2015-07-18 10:37 - 2013-12-27 13:12 - 00000000 ____D C:\Users\Detlev\Documents\Reise
2015-07-17 19:02 - 2014-08-05 13:33 - 00002523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Standard.lnk
2015-07-17 19:02 - 2014-08-05 13:33 - 00002071 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2015-07-16 21:38 - 2015-06-23 18:58 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-07-16 13:03 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\rescache
2015-07-16 11:21 - 2014-12-28 03:16 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2015-07-16 11:16 - 2013-08-22 17:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-07-15 16:19 - 2014-08-22 13:32 - 00003772 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-07-15 15:29 - 2014-07-30 00:06 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-07-15 15:28 - 2014-07-30 01:06 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-07-14 23:08 - 2014-07-29 23:59 - 00000000 ____D C:\Users\Admin\AppData\Local\CrashDumps
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSetMan
2015-07-14 14:07 - 2015-03-01 22:28 - 00000000 ____D C:\Program Files (x86)\NetSetMan
2015-07-14 11:42 - 2014-11-07 00:46 - 00000000 ____D C:\Users\Detlev\Documents\Elternbeirat
2015-07-13 23:10 - 2013-08-22 17:38 - 00792568 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-07-13 23:10 - 2013-08-22 17:38 - 00178168 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-09 08:53 - 2013-12-13 21:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2015-07-03 08:43 - 2014-07-30 01:06 - 130333168 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-25 21:34 - 2014-07-30 06:21 - 00000000 ____D C:\Users\Detlev\AppData\Local\Adobe
2015-06-25 21:13 - 2014-08-31 23:34 - 00000000 ____D C:\Users\Admin\AppData\Local\Adobe
2015-06-24 00:34 - 2015-05-30 15:07 - 00000000 ____D C:\Program Files\Common Files\Western Digital
2015-06-24 00:34 - 2015-05-29 22:40 - 00024104 _____ C:\WINDOWS\DPINST.LOG
2015-06-24 00:34 - 2015-05-29 09:49 - 00000000 ____D C:\Program Files (x86)\Western Digital
2015-06-24 00:34 - 2015-05-29 09:48 - 00000000 ____D C:\ProgramData\Western Digital

==================== Files in the root of some directories =======

2015-03-23 10:38 - 2015-03-24 21:13 - 0000053 _____ () C:\Users\Admin\AppData\Roaming\LogFile.txt
2014-07-30 00:56 - 2015-03-14 00:53 - 0000154 _____ () C:\Users\Admin\AppData\Roaming\Rim.Desktop.Exception.log
2014-07-30 00:56 - 2014-07-30 00:56 - 0001111 _____ () C:\Users\Admin\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-07-30 00:56 - 2015-03-14 00:53 - 0000154 _____ () C:\Users\Admin\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-01-01 17:34 - 2015-01-01 17:34 - 2363650 _____ () C:\ProgramData\1420126384.bdinstall.bin
2015-07-22 22:38 - 2015-07-22 22:38 - 0478395 _____ () C:\ProgramData\1437597482.bdinstall.bin
2013-12-13 21:12 - 2013-12-13 21:12 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-21 08:56

==================== End of log ============================
--- --- ---

schrauber 25.07.2015 10:45
Beim Fix brauchen wir wieder Adminrechte.

Drücke bitte die Windowstaste + R Taste und schreibe notepad in das Ausführen Fenster.

Kopiere nun folgenden Text aus der Code-Box in das leere Textdokument

Code:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [S-1-5-21-1058572625-867591187-812149052-1002] => Internet Explorer proxy is enabled.
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin [2015-07-22] (Download Protect)
BHO-x32: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin [2015-07-22] (Download Protect)
FF DefaultSearchUrl: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=UTF-8&oe=UTF-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 1
FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\user.js [2015-07-22]
FF HKLM-x32\...\Firefox\Extensions: [{CB235133-5305-4E26-8727-256679D3FF57}] - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi [2015-07-20]
FF HKLM-x32\...\Firefox\Extensions: [{434BF744-47E1-45F7-B215-EAE9123E8522}] - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi [2015-07-22]
FF Extension: No Name - C:\WINDOWS\Installer\{99D755A3-4ECD-4D83-9CA0-615EA62D70DA}\{4CC98C2D-7923-446E-B20F-C47DE4EF419B}.xpi [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
R2 DnsBlockUpdateSvc; C:\WINDOWS\system32\DnsBlockUpdateSvc.exe [149024 2015-06-21] ()
C:\WINDOWS\system32\DnsBlockUpdateSvc.exe
RemoveProxy:
Emptytemp:

Speichere diese bitte als Fixlist.txt auf deinem Desktop (oder dem Verzeichnis in dem sich FRST befindet).
  • Starte nun FRST erneut und klicke den Entfernen Button.
  • Das Tool erstellt eine Fixlog.txt.
  • Poste mir deren Inhalt.



Frisches FRST log bitte.

DWaKd 25.07.2015 18:21
Code:
Entferungsergebnis von Farbar Recovery Scan Tool (x64) Version:25-07-2015
durchgeführt von Admin an 2015-07-25 19:16:06 Run:1
Gestartet von C:\Users\Detlev\Desktop
Geladene Profile: Admin & Detlev (Verfügbare Profile: Admin & Detlev & Administrator)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser]  <======= ATTENTION (Policy restriction on ProxySettings)
ProxyEnable: [S-1-5-21-1058572625-867591187-812149052-1002] => Internet Explorer proxy is enabled.
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} URL = hxxp://www.google.de/search?q={searchTerms}&hl=de&gl=de&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files\{DCB99623-DFAE-4297-B412-EB532D4B2DB7}\{45F26614-6ADF-43A4-B5A6-1F917C1DE834}.bin [2015-07-22] (Download Protect)
BHO-x32: DownloadProtect Extension -> {C654F3FE-8E84-4BB7-87CF-8D9171FC3C73} -> C:\Program Files (x86)\{88F2BEBC-E310-466E-AAF6-B647EF538B58}\{2FDA30AA-080D-4720-B65B-7287BE47EFB5}.bin [2015-07-22] (Download Protect)
FF DefaultSearchUrl: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=UTF-8&oe=UTF-8&meta=lr=lang_de&q=
FF Keyword.URL: hxxp://www.google.de/search?hl=de&gl=de&lr=&ie=utf-8&oe=utf-8&meta=lr=lang_de&q=
FF NetworkProxy: "no_proxies_on", ""
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 1
FF user.js: detected! => C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\user.js [2015-07-22]
FF HKLM-x32\...\Firefox\Extensions: [{CB235133-5305-4E26-8727-256679D3FF57}] - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi [2015-07-20]
FF HKLM-x32\...\Firefox\Extensions: [{434BF744-47E1-45F7-B215-EAE9123E8522}] - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi
FF Extension: Download Protect - C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi [2015-07-22]
FF Extension: No Name - C:\WINDOWS\Installer\{99D755A3-4ECD-4D83-9CA0-615EA62D70DA}\{4CC98C2D-7923-446E-B20F-C47DE4EF419B}.xpi [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
R2 DnsBlockUpdateSvc; C:\WINDOWS\system32\DnsBlockUpdateSvc.exe [149024 2015-06-21] ()
C:\WINDOWS\system32\DnsBlockUpdateSvc.exe
RemoveProxy:
Emptytemp:
       
*****************

C:\WINDOWS\system32\GroupPolicy\Machine => erfolgreich verschoben.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => erfolgreich verschoben.
"HKLM\SOFTWARE\Policies\Google" => Schlüssel erfolgreich entfernt
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Schlüssel erfolgreich entfernt
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => Schlüssel erfolgreich entfernt
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => Wert erfolgreich entfernt
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => Wert erfolgreich entfernt
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Error setting value.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Error setting value.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Error setting value.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Error setting value.
HKU\S-1-5-21-1058572625-867591187-812149052-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
HKU\S-1-5-21-1058572625-867591187-812149052-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => Error setting value.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DF4AC5A7-A78F-4A31-B77B-BA9B88A14453}" => Schlüssel erfolgreich entfernt
HKCR\CLSID\{DF4AC5A7-A78F-4A31-B77B-BA9B88A14453} => Schlüssel nicht gefunden.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich entfernt
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich entfernt
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Wert erfolgreich entfernt
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" => Schlüssel erfolgreich entfernt
"HKCR\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" => Schlüssel erfolgreich entfernt
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" => Schlüssel erfolgreich entfernt
"HKCR\Wow6432Node\CLSID\{C654F3FE-8E84-4BB7-87CF-8D9171FC3C73}" => Schlüssel erfolgreich entfernt
Firefox DefaultSearchUrl erfolgreich entfernt
Firefox Keyword.URL erfolgreich entfernt
Firefox Keyword.URL erfolgreich entfernt
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3382xg8l.default\user.js => erfolgreich verschoben.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{CB235133-5305-4E26-8727-256679D3FF57} => Wert erfolgreich entfernt
C:\WINDOWS\Installer\{5831EE9F-D8BF-44EF-86B5-EDA1F471755C}\{CB235133-5305-4E26-8727-256679D3FF57}.xpi => erfolgreich verschoben.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{434BF744-47E1-45F7-B215-EAE9123E8522} => Wert nicht gefunden.
C:\WINDOWS\Installer\{722E7E38-D7B2-4DF3-B6CD-95EDE15A7325}\{434BF744-47E1-45F7-B215-EAE9123E8522}.xpi nicht gefunden.
C:\WINDOWS\Installer\{99D755A3-4ECD-4D83-9CA0-615EA62D70DA}\{4CC98C2D-7923-446E-B20F-C47DE4EF419B}.xpi nicht gefunden.
C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} nicht gefunden.
DnsBlockUpdateSvc => Dienst konnte nicht gestoppt werden.
DnsBlockUpdateSvc => Dienst erfolgreich entfernt
C:\WINDOWS\system32\DnsBlockUpdateSvc.exe => erfolgreich verschoben.

========= RemoveProxy: =========

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => Wert erfolgreich entfernt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => Wert erfolgreich entfernt
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => Wert erfolgreich entfernt
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => Wert erfolgreich entfernt
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => Wert erfolgreich entfernt
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => Wert erfolgreich entfernt
HKU\S-1-5-21-1058572625-867591187-812149052-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => Wert erfolgreich entfernt
HKU\S-1-5-21-1058572625-867591187-812149052-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => Wert erfolgreich entfernt
HKU\S-1-5-21-1058572625-867591187-812149052-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => Wert erfolgreich entfernt
HKU\S-1-5-21-1058572625-867591187-812149052-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => Wert erfolgreich entfernt


========= Ende von RemoveProxy: =========

EmptyTemp: => 49.9 MB temporäre Dateien entfernt.


Das System musste neu gestartet werden..

==== Ende von Fixlog 19:16:29 ====

schrauber 26.07.2015 13:13
Frisches FRST log bitte noch. Noch Probleme?


Alle Zeitangaben in WEZ +1. Es ist jetzt 08:56 Uhr.
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131