Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 08.10.2013, 15:52   #1
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Ausrufezeichen

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



05.10. abends: Beim Download einer Screen-Recorder-Software wird offenbar ein unerwünschtes Programm mitinstalliert. Als das auffällt, installiere ich noch ein Anti-Malware-Programm, das sich aber als Malware entpuppt. Nach dem Scannen und der - vermeintlichen - Reinigung taucht das Problem in neuer Form auf. Symptome:

1. Immer wieder kommt ein Popup mit dem Hinweis "Problem beim Starten von C:\Program Files (x86)\HomeTab\TBUpdater.dll Das angegebene Modul wurde nicht gefunden."

2. Im Browser (Firefox 24.0) kommt es dazu, dass auf allen angesurften Seiten Links markiert und gesetzt werden, die bei Mouseover irgendwelche Werbe-Popups generieren.

3. Gleichzeitig kommt es - auch ohne, dass ich auf diese Links klicke - zu einer starken Verlangsamung des Browsers, bis er schließlich alle 10 Minuten abstürzt und neu gestartet werden muss. Dieses Problem ist einigermaßen im Griff, seit ich im FF-Addon "Block site" eingestellt habe, dass die Seite "superfish.com" geblockt werden soll. Dorthin ging offenbar ein großer Teil dieser unerwünschten Zugriffe.

4. Geschockt war ich, als ich im Laufe des zweiten Tages feststellen musste, dass in MS Outlook 2010 sämtliche Einträge meines Kalenders und sämtliche Kontakte weg sind. Es gibt zwar ein nicht ganz aktuelles Backup dieser Daten, ich habe aber aufgrund der Infektion noch nicht versucht, dieses einzuspielen.

5. Zeitgleich - also kurz nach dem Auftreten der Infektion - lief zufälligerweise auch mein Abo für McAfee aus (der ohnehin keinerlei Meldung gemacht hat und beim mehreren Scans auch nichts gefunden hat). Ich habe dann McAfee deinstalliert und BitDefender als neue Anti-Virus-Software installiert. Diese hat zwar einige "Bedrohungen" gemeldet, allerdings nicht das o.a. Problem behoben.

Ich hänge anbei die Logfiles dazu, da sie zu groß sind, um hier gepostet zu werden.
Für Hilfe wäre ich sehr dankbar!
Liebe Grüße, Peter
Angehängte Dateien
Dateityp: txt FRST.txt (73,8 KB, 181x aufgerufen)

Alt 08.10.2013, 20:44   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.


So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 09.10.2013, 07:55   #3
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



Ok, ich teile dann mal auf. Die FRST.txt geht ja in einem:
-----------------------------------------------------------------------
FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by Peter (administrator) on PETER-PC on 06-10-2013 16:02:50
Running from C:\Users\Peter\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Adobe Systems Incorporated) D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(devolo AG) C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe
() C:\Program Files\ShrewSoft\VPN Client\dtpd.exe
() C:\Program Files\ShrewSoft\VPN Client\iked.exe
() C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(McAfee, Inc.) C:\Windows\system32\mfevtps.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Nero AG) D:\Programme2\Nero MediaHome 4\NMMediaServerService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Western Digital) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\itype.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfeeMOBK\WrapperTrayIcon.exe
(Microsoft Corporation) C:\Windows\WindowsMobile\wmdc.exe
(Microsoft Corporation) C:\Windows\vVX1000.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
(Akamai Technologies, Inc.) C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Akamai Technologies, Inc.) C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe
(Dropbox, Inc.) C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Steganos Software GmbH) C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Steganos Software GmbH) C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(McAfee, Inc.) C:\Program Files\McAfee\MAT\McPvTray.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_168.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe
(McAfee, Inc.) c:\PROGRA~2\mcafee\SITEAD~1\saui.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7560296 2011-12-12] (Realtek Semiconductor)
HKLM\...\Run: [itype] - C:\Program Files\Microsoft IntelliType Pro\itype.exe [1873256 2011-08-10] (Microsoft Corporation)
HKLM\...\Run: [McAfeeWrapperApplication] - C:\Program Files (x86)\McAfeeMOBK\WrapperTrayIcon.exe [453344 2010-11-01] (McAfee, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] - C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [VX1000] - C:\Windows\vVX1000.exe [762736 2010-05-20] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [CAHeadless] - D:\Programme2\Elements 10 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [835224 2011-09-01] (Adobe Systems Incorporated)
HKCU\...\Run: [Akamai NetSession Interface] - C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe [4489472 2013-06-05] (Akamai Technologies, Inc.)
HKCU\...\Run: [Xvid] - C:\Program Files (x86)\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKCU\...\Run: [GoogleDriveSync] - C:\Program Files (x86)\Google\Drive\googledrivesync.exe [20097696 2013-06-27] (Google)
HKCU\...\Run: [iCloudServices] - C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59720 2013-09-14] (Apple Inc.)
HKCU\...\Run: [ApplePhotoStreams] - C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-09-15] (Apple Inc.)
MountPoints2: {2e24191d-1ac1-11e2-80e7-5404a694fdb8} - F:\LaunchU3.exe -a
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-10-17] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [537512 2013-08-06] (McAfee, Inc.)
HKLM-x32\...\Run: [SAFE2012 HotKeys] - C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe [84480 2011-11-16] (Steganos Software GmbH)
HKLM-x32\...\Run: [SAFE2012 File Redirection Starter] - C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe [17408 2011-11-16] (Steganos Software GmbH)
HKLM-x32\...\Run: [WD Quick View] - C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5235128 2012-06-14] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [537512 2013-08-06] (McAfee, Inc.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [KeePass 2 PreLoad] - C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2010624 2013-07-20] (Dominik Reichl)
HKLM-x32\...\Run: [CanonSolutionMenuEx] - C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [Nero MediaHome 4] - D:\Programme2\Nero MediaHome 4\NeroMediaHome.exe [5179880 2012-12-20] (Nero AG)
HKLM-x32\...\Run: [LifeCam] - C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [119152 2010-05-20] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKU\Gast\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\net.lnk
ShortcutTarget: net.lnk -> C:\Users\Peter\AppData\Roaming\Windows Net Data\net.exe (No File)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:newtab
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Bing
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://at.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x58E21E09E5BFCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de-AT
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:newtab
URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
SearchScopes: HKLM - DefaultScope {79B94AF8-7523-46A1-B497-895316AE9EFE} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - DefaultScope {79B94AF8-7523-46A1-B497-895316AE9EFE} URL = hxxp://search.certified-toolbar.com?si=66920&st=bs&tid=6787&ver=4.4&ts=1380924000000.000007&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {79B94AF8-7523-46A1-B497-895316AE9EFE} URL = hxxp://search.certified-toolbar.com?si=66920&st=bs&tid=6787&ver=4.4&ts=1380924000000.000007&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&q={searchTerms}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.certified-toolbar.com?si=66920&st=bs&tid=6787&ver=4.4&ts=1380977623167&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&q={searchTerms}
SearchScopes: HKCU - DefaultScope {C48A5632-A39A-4B31-B1E8-401292420037} URL = hxxp://search.certified-toolbar.com?si=66920&st=bs&tid=6787&ver=4.4&ts=1380924000000.000007&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&q={searchTerms}
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL = 
SearchScopes: HKCU - {79B94AF8-7523-46A1-B497-895316AE9EFE} URL = 
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://de.search.yahoo.com/search?p={searchTerms}&fr=vc_trans_8140&type=horus
SearchScopes: HKCU - {C48A5632-A39A-4B31-B1E8-401292420037} URL = hxxp://search.certified-toolbar.com?si=66920&st=bs&tid=6787&ver=4.4&ts=1380924000000.000007&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&q={searchTerms}
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Softonic Helper Object - {E87806B5-E908-45FD-AF5E-957D83E58E68} - C:\Program Files (x86)\Softonic\Softonic\1.8.19.3\bh\Softonic.dll (Softonic.com)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - Softonic Toolbar - {5018CFD2-804D-4C99-9F81-25EAEA2769DE} - C:\Program Files (x86)\Softonic\Softonic\1.8.19.3\SoftonicTlbr.dll (Softonic.com)
Toolbar: HKCU -  No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 212.186.211.21 195.34.133.21
Tcpip\..\Interfaces\{18181201-0B52-474F-91F6-249D573C6B48}: [NameServer]10.10.110.1,10.10.110.3

FireFox:
========
FF ProfilePath: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default
FF NewTab: about:home
FF DefaultSearchEngine: Web Search
FF SearchEngineOrder.1: Web Search
FF SelectedSearchEngine: Web Search
FF Homepage: about:home
FF Keyword.URL: hxxp://search.certified-toolbar.com?si=66920&tid=6787&ver=4.4&ts=1380924000000.000007&tguid=66920-6787-1380977623167-84C69207A7127442B5072AAB1EC2F8F0&st=chrome&q=
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_168.dll ()
FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_168.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @garmin.com/GpsControl - C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin - C:\Program Files (x86)\McAfee Security Scan\3.0.318\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @mcafee.com/SAFFPlugin - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @networksurveillance.com/camclictrl - C:\Program Files (x86)\NetworkSurveillanceNP\npCamCliCtrl.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\searchplugins\diepressecom_suche.xml
FF SearchPlugin: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\searchplugins\softonic.xml
FF SearchPlugin: C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\searchplugins\Web Search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\Web Search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\c17236e8-fd66-44bc-aeef-1e00981cbb64@0a4ee0fe-5356-4fd3-b37c-5cd5671a315c.com
FF Extension: FireHbbTV - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\dlfr-firetv-plugin@atosorigin.com
FF Extension: DoNotTrackMe - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\donottrackplus@abine.com
FF Extension: pricealarm - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\EFGLQA@78ETGYN-0W7FN789T87.COM
FF Extension: Dấu trang iCloud - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\firefoxdav@icloud.com
FF Extension: selectivecookiedelete - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\selectivecookiedelete@siju.mathew
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
FF Extension: FireShot - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF Extension: Garmin Communicator - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF Extension: HomeTab - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{ad7ef860-f366-4be1-8d12-4363b9356947}
FF Extension: DownloadHelper - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF Extension: Block site - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
FF Extension: Evernote Web Clipper - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
FF Extension: Open With Photoshop - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{f3f219f9-cbce-467e-b8fe-6e076d29665c}
FF Extension: FoxyDeal - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{F58A62EB-38DC-43C4-A539-DC52E135208D}
FF Extension: New Tab King - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{FC5BAC7D-D696-4ba6-B913-CF8F000C33DF}
FF Extension: colorPicker - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\colorPicker@colorPicker.xpi
FF Extension: feedly - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\feedly@devhd.xpi
FF Extension: firefox - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\firefox@ghostery.com.xpi
FF Extension: historyblock - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\historyblock@kain.xpi
FF Extension: nadir.kadem - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\nadir.kadem@gmail.com.xpi
FF Extension: readable - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\readable@evernote.com.xpi
FF Extension: tiletabs - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\tiletabs@DW-dev.xpi
FF Extension: uriloader - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\uriloader@pdf.js.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\WTB_GLOBAL.sqlite
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{64161300-e22b-11db-8314-0800200c9a66}.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: No Name - C:\Users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\oh0sils9.default\Extensions\{d9284e50-81fc-11da-a72b-0800200c9a66}.xpi
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK

Chrome: 
=======
CHR HomePage: about:newtab?source=home
CHR RestoreOnStartup: "about:newtab?source=home"], "restore_on_startup":4}, "countryid_at_install":16724, "homepage_is_newtabpage":"true", "browser":{"window_placement":{"work_area_top":0, "work_area_right":1600, "top":10, "left":10, "bottom":1150, "maximized":false, "right":1060, "work_area_left":0, "work_area_bottom":1160}}, "distribution":{"verbose_logging":false, "create_all_shortcuts":true, "import_search_engine":false, "skip_first_run_ui":true, "show_welcome_page":true, "do_not_launch_chrome":true, "make_chrome_default":true, "import_history":false}, "profile":{"content_settings":{"pref_version":1}, "exited_cleanly":true}, "dns_prefetching":{"startup_list":[1, "hxxp://fonts.googleapis.com/", "hxxp://ssl.gstatic.com/", "hxxp://themes.googleusercontent.com/", "hxxp://tools.google.com/", "hxxp://www.google-analytics.com/", "hxxp://www.google.at/", "hxxp://www.google.com/"], "host_referral_list":[2, ["hxxp://tools.google.com/", ["hxxp://fonts.googleapis.com/", 2.6037004, "hxxp://themes.googleusercontent.com/", 2.6037004, "hxxp://tools.google.com/", 3.9249812, "hxxp://www.google-analytics.com/", 2.9340206, "hxxp://www.google.com/", 3.2643408]], ["hxxp://www.google.at/", ["hxxp://ssl.gstatic.com/", 2.6037004, "hxxp://www.google.at/", 4.5856216, "hxxp://www.google.com/", 2.2733802]], ["hxxp://www.google.com/", ["hxxp://www.google.at/", 2.6037004]]]}, "homepage":"about:newtab?source=home", "download":{"directory_upgrade":true, "extensions_to_open":""
CHR Extension: (FoxyDeal) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiennapmieppnpfhhogglccgepbdajan\6.2.0_0
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0
CHR Extension: (Softonic Chrome Toolbar) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\elchiiiejkobdbblfejjkbphbddgmljf\1.0_0
CHR Extension: () - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmlgoencnlndpglbocajlimaikjohmab\background.html
CHR Extension: (Plus-HD-3.8) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ofjgnhihlklpobkaloamkankaaoclfjh\1.23.19_0
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0
CHR HKLM-x32\...\Chrome\Extension: [bddpogknpjlgfpbboediomaiiaecfajn] - C:\Program Files (x86)\HomeTab\chrome\HomeTab.crx
CHR HKLM-x32\...\Chrome\Extension: [elchiiiejkobdbblfejjkbphbddgmljf] - C:\Program Files (x86)\Softonic\Softonic\1.8.19.3\Softonic.crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx

==================== Services (Whitelisted) =================

R2 AdobeActiveFileMonitor10.0; D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [169624 2011-09-01] (Adobe Systems Incorporated)
R2 DevoloNetworkService; C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe [3304768 2010-12-23] (devolo AG)
R2 dtpd; C:\Program Files\ShrewSoft\VPN Client\dtpd.exe [56592 2010-10-08] ()
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 iked; C:\Program Files\ShrewSoft\VPN Client\iked.exe [957712 2010-10-08] ()
R2 ipsecd; C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe [697616 2010-10-08] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-08-06] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-08-05] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-08-07] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-08-07] (McAfee, Inc.)
R2 MOBKbackup; C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [231224 2010-04-13] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 NeroMediaHomeService.4; D:\Programme2\Nero MediaHome 4\NMMediaServerService.exe [518632 2012-12-20] (Nero AG)
S3 w7Svc; D:\Programme2\webcam 7\wService.exe [5312832 2013-09-12] (Moonware Studios)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1151424 2012-06-14] (Western Digital )
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248248 2012-06-14] (Western Digital)
R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177536 2012-06-14] (Western Digital )

==================== Drivers (Whitelisted) ====================

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-08-07] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [74560 2013-09-09] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-08-07] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [310224 2013-08-07] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519064 2013-08-07] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [776168 2013-08-07] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [377040 2013-07-09] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [95984 2013-07-09] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343568 2013-08-07] (McAfee, Inc.)
R1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [66040 2010-04-13] (Mozy, Inc.)
R2 NPF_devolo; C:\Windows\sysWOW64\drivers\npf_devolo.sys [34048 2010-06-10] (CACE Technologies)
R1 PStrip64; C:\Windows\System32\drivers\pstrip64.sys [13008 2006-09-30] ()
R1 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R1 SLEE_17_DRIVER; C:\Windows\Sleen1764.sys [108256 2010-02-17] (Softwareentwicklung Remus - ArchiCrypt - )
R1 SLEE_17_DRIVER; C:\Windows\Sleen1764.sys [108256 2010-02-17] (Softwareentwicklung Remus - ArchiCrypt - )
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-10-06 15:53 - 2013-10-06 15:53 - 00001790 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-06 15:52 - 2013-10-06 15:53 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-06 15:52 - 2013-10-06 15:53 - 00000000 ____D C:\Program Files\iTunes
2013-10-06 15:52 - 2013-10-06 15:52 - 00000000 ____D C:\Program Files\iPod
2013-10-06 15:50 - 2013-10-06 15:53 - 00000000 ____D C:\Users\Peter\Desktop\Filme
2013-10-06 15:43 - 2013-10-06 15:44 - 00000000 ____D C:\Users\Peter\AppData\Local\425413CC-3B97-42D2-B2A1-98DD68070B00.aplzod
2013-10-06 15:32 - 2013-10-06 15:32 - 00000000 ____D C:\Users\Peter\AppData\Local\{2AE9B9E8-C6FE-4F76-BEEA-41C686552352}
2013-10-06 10:39 - 2013-10-06 10:39 - 00075776 _____ C:\Users\Peter\Downloads\FRST.txt
2013-10-06 10:37 - 2013-10-06 10:37 - 00035129 _____ C:\Users\Peter\Downloads\Addition.txt
2013-10-06 10:35 - 2013-10-06 10:35 - 00000000 ____D C:\FRST
2013-10-06 10:34 - 2013-10-06 10:35 - 01954124 _____ (Farbar) C:\Users\Peter\Desktop\FRST64.exe
2013-10-05 19:42 - 2013-10-05 19:42 - 00000000 ____D C:\Users\Peter\Desktop\Debut
2013-10-05 19:20 - 2013-10-05 19:21 - 00000000 ____D C:\Users\Peter\AppData\Local\{F42F3FFA-5143-40B9-9F97-04AEBC0A5337}
2013-10-05 17:02 - 2013-10-05 17:02 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme
2013-10-05 17:00 - 2013-10-05 17:00 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette
2013-10-05 16:46 - 2013-10-05 18:55 - 00000000 ____D C:\ProgramData\webcam 7
2013-10-05 16:46 - 2013-10-05 16:46 - 00000725 _____ C:\Users\Public\Desktop\webcam 7.lnk
2013-10-05 16:43 - 2013-10-05 16:45 - 14217328 _____ (Moonware Studios) C:\Users\Peter\Downloads\w7inst_1050.exe
2013-10-05 16:36 - 2013-10-05 16:36 - 00000000 ____D C:\Program Files\Microsoft LifeCam
2013-10-05 16:36 - 2013-10-05 16:36 - 00000000 ____D C:\Program Files (x86)\Microsoft LifeCam
2013-10-05 16:33 - 2013-10-05 18:57 - 00921624 _____ C:\img2-001.raw
2013-10-05 15:58 - 2013-10-05 15:58 - 00001116 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Malwarebytes
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-05 15:58 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-10-05 15:57 - 2013-10-05 15:57 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Peter\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-05 15:09 - 2013-10-05 15:09 - 00000000 _____ C:\autoexec.bat
2013-10-05 15:08 - 2013-10-05 15:52 - 00000000 ____D C:\Windows\86CA3695A4124BAE92B649A60C2AC663.TMP
2013-10-05 15:08 - 2013-10-05 15:08 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-10-05 15:06 - 2013-10-05 15:06 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Peter\Downloads\SpyHunter-Installer.exe
2013-10-05 14:56 - 2013-10-05 21:42 - 00000000 ____D C:\Windows\System32\Tasks\NCH Software
2013-10-05 14:55 - 2013-10-05 17:02 - 00000000 ____D C:\Users\Peter\AppData\Roaming\NCH Software
2013-10-05 14:55 - 2013-10-05 17:02 - 00000000 ____D C:\ProgramData\NCH Software
2013-10-05 14:55 - 2013-10-05 17:02 - 00000000 ____D C:\Program Files (x86)\NCH Software
2013-10-05 14:55 - 2013-10-05 14:55 - 00000000 ____D C:\SoloApp
2013-10-05 14:55 - 2013-10-05 14:55 - 00000000 ____D C:\Program Files (x86)\foxydeal
2013-10-05 14:54 - 2013-10-05 14:54 - 00000000 ____D C:\Windows\System32\Tasks\Browser Updater
2013-10-05 14:53 - 2013-10-06 07:10 - 00000000 ____D C:\Users\Peter\AppData\Roaming\SimplyTech
2013-10-05 14:53 - 2013-10-06 07:10 - 00000000 ____D C:\Users\Peter\AppData\Roaming\HomeTab
2013-10-05 14:53 - 2013-10-05 14:55 - 00000000 ____D C:\Users\Peter\AppData\Local\DownloadGuide
2013-10-05 14:53 - 2013-10-05 14:53 - 00000000 ____D C:\Windows\System32\Tasks\ProtectedSearch
2013-10-05 14:53 - 2013-08-13 08:38 - 00032328 _____ C:\Windows\Launcher.exe
2013-10-05 14:52 - 2013-10-05 14:53 - 00478552 _____ C:\Users\Peter\Downloads\debutsetup-Downloader.exe
2013-10-05 14:48 - 2013-10-05 14:48 - 00000000 ____D C:\Program Files (x86)\Softonic
2013-10-05 14:47 - 2013-10-05 14:47 - 00000646 _____ C:\Users\Public\Desktop\CamStudio-Recorder.lnk
2013-10-05 14:47 - 2013-10-05 14:47 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Softonic
2013-10-05 14:47 - 2010-10-24 00:56 - 00049664 _____ (CamStudio Group) C:\Windows\system32\CamCodec.dll
2013-10-04 21:18 - 2013-10-04 21:18 - 01586314 _____ C:\Users\Peter\Desktop\Report - Monatswerte NEU.xlsx
2013-10-03 18:09 - 2013-10-03 18:10 - 00000000 ____D C:\Users\Peter\AppData\Local\{7A7F492A-5CCC-4350-8FA1-0A949E4D03CC}
2013-10-01 09:38 - 2013-10-01 09:43 - 97176400 _____ (Apple Inc.) C:\Users\Peter\Downloads\iTunes64Setup(1).exe
2013-10-01 07:51 - 2013-10-05 14:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-30 20:28 - 2013-09-30 20:34 - 97176400 _____ (Apple Inc.) C:\Users\Peter\Downloads\iTunes64Setup.exe
2013-09-30 18:41 - 2013-09-30 18:41 - 00000000 ____D C:\Users\Peter\AppData\Local\{A14E9CCA-8D5C-4D29-884F-B89D17C113DD}
2013-09-29 15:02 - 2013-09-29 15:02 - 00000000 ____D C:\Users\Peter\AppData\Local\{F19D8B91-8397-477D-8D9F-14D82EB0491A}
2013-09-28 10:37 - 2013-09-28 10:38 - 17613436 _____ (Yoono                                                       ) C:\Users\Peter\Downloads\yoono-desktop-1.8.43.exe
2013-09-28 10:16 - 2013-09-28 10:16 - 00000000 ____D C:\Users\Peter\AppData\Roaming\sobees Ltd
2013-09-28 10:15 - 2013-09-28 10:15 - 00001130 _____ C:\Users\Peter\Desktop\Die Stunde des Jägers - Verknüpfung.lnk
2013-09-28 10:00 - 2013-09-28 10:00 - 00437208 _____ () C:\Users\Peter\Downloads\SobeesSetup.exe
2013-09-27 20:42 - 2013-09-27 20:42 - 00000268 _____ C:\Users\Peter\Desktop\Will Jobs & Karriere - Super schnell zum super Job auf willhaben.at.URL
2013-09-27 17:40 - 2013-09-09 11:11 - 00074560 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\McPvDrv.sys
2013-09-27 16:54 - 2013-09-27 16:54 - 00067535 _____ C:\Users\Peter\Downloads\wp-user-avatar.1.6.1.zip
2013-09-26 08:20 - 2013-09-26 08:20 - 00000000 ____D C:\Users\Peter\AppData\Local\{F34F65F1-3346-4362-8ED2-CD566AB59BFB}
2013-09-25 15:25 - 2013-09-25 15:26 - 00000000 ____D C:\Users\Peter\AppData\Local\{5EA242D1-6254-4A81-98D0-BA4D494B35B6}
2013-09-25 15:25 - 2013-09-25 15:25 - 00000000 ____D C:\Users\Peter\AppData\Local\{51512760-C871-427F-96DD-233F202B0471}
2013-09-25 13:49 - 2013-09-25 13:49 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Vorlagen
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Startmenü
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Netzwerkumgebung
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Lokale Einstellungen
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Eigene Dateien
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Druckumgebung
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Documents\Eigene Musik
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Documents\Eigene Bilder
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Local\Verlauf
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Local\Anwendungsdaten
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Anwendungsdaten
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\Peter\AppData\Local\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\NeroMediaHomeUser.4
2013-09-25 13:48 - 2012-04-13 18:56 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Microsoft Help
2013-09-25 13:48 - 2012-03-07 21:59 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Western Digital
2013-09-25 13:48 - 2012-03-05 21:33 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Macromedia
2013-09-25 13:48 - 2010-11-21 05:40 - 00000000 ___RD C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-25 13:48 - 2010-11-21 05:40 - 00000000 ___RD C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-25 13:48 - 2010-11-21 04:51 - 00001449 _____ C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-09-25 13:48 - 2010-11-21 04:51 - 00001415 _____ C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2013-09-25 13:48 - 2010-11-21 04:50 - 00000020 ___SH C:\Users\NeroMediaHomeUser.4\ntuser.ini
2013-09-25 13:48 - 2009-07-14 06:54 - 00000000 ___RD C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-25 13:48 - 2009-07-14 06:49 - 00000000 ___RD C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-09-24 12:34 - 2013-09-24 12:34 - 00000000 ____D C:\Users\Peter\AppData\Local\{EF1D45A0-CE13-4684-8386-9C4F7B7F997D}
2013-09-24 12:33 - 2013-09-24 12:33 - 00000000 ____D C:\Users\Peter\AppData\Local\{F3756F47-91E3-4CE8-85B9-62C75C52EF18}
2013-09-18 16:40 - 2013-09-25 16:57 - 00000000 ____D C:\Users\Peter\Desktop\Musik Rosi
2013-09-16 19:21 - 2013-10-06 15:54 - 00000000 ___RD C:\Users\Peter\Google Drive
2013-09-16 19:08 - 2013-09-16 19:08 - 00784832 _____ (Google Inc.) C:\Users\Peter\Downloads\googledrivesync.exe
2013-09-13 21:26 - 2013-09-13 21:26 - 00000000 ____D C:\Users\Peter\AppData\Roaming\OpenOffice
2013-09-13 21:25 - 2013-09-13 21:25 - 00000000 ____D C:\Program Files (x86)\OpenOffice 4
2013-09-13 21:08 - 2013-09-13 21:08 - 00614816 _____ C:\Users\Peter\Downloads\OpenOffice - CHIP-Downloader.exe
2013-09-12 23:13 - 2013-09-12 23:13 - 00320512 _____ C:\Windows\SysWOW64\LiveWrapRTSP.dll
2013-09-12 08:07 - 2013-09-12 08:07 - 00000000 ____D C:\Windows\rescache
2013-09-11 21:36 - 2013-08-10 07:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-11 21:36 - 2013-08-10 07:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-11 21:36 - 2013-08-10 07:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-11 21:36 - 2013-08-10 07:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-11 21:36 - 2013-08-10 07:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-11 21:36 - 2013-08-10 07:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-11 21:36 - 2013-08-10 07:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-11 21:36 - 2013-08-10 05:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-11 21:36 - 2013-08-10 05:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-11 21:36 - 2013-08-10 05:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-11 21:36 - 2013-08-10 05:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-11 21:36 - 2013-08-10 05:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-11 21:36 - 2013-08-10 04:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-11 21:36 - 2013-08-10 04:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-11 17:19 - 2013-09-11 17:19 - 01128019 _____ C:\Users\Peter\Downloads\wordpress-seo.1.4.15.zip
2013-09-11 09:27 - 2013-09-11 09:27 - 00070274 _____ C:\Users\Peter\Downloads\mini-twitter-feed.2.0.1.zip
2013-09-11 07:46 - 2013-08-08 03:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-11 07:46 - 2013-08-05 04:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys
2013-09-11 07:46 - 2013-08-02 04:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-09-11 07:46 - 2013-08-02 04:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-09-11 07:46 - 2013-08-02 04:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2013-09-11 07:46 - 2013-08-02 04:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-09-11 07:46 - 2013-08-02 04:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2013-09-11 07:46 - 2013-08-02 04:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-11 07:46 - 2013-08-02 04:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2013-09-11 07:46 - 2013-08-02 04:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-11 07:46 - 2013-08-02 04:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 04:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-11 07:46 - 2013-08-02 03:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-11 07:46 - 2013-08-02 03:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-11 07:46 - 2013-08-02 03:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-11 07:46 - 2013-08-02 03:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-11 07:46 - 2013-08-02 03:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 03:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-11 07:46 - 2013-08-02 02:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2013-09-11 07:46 - 2013-08-02 02:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-11 07:46 - 2013-08-02 02:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-11 07:46 - 2013-08-02 02:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-11 07:46 - 2013-08-02 02:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-11 07:46 - 2013-08-02 02:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 02:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 02:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-11 07:46 - 2013-08-02 02:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-11 07:45 - 2013-07-26 04:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-11 07:44 - 2013-07-26 04:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-09-11 07:44 - 2013-07-26 03:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-11 07:44 - 2013-07-26 03:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-09-08 17:54 - 2013-09-08 17:55 - 00000000 ____D C:\Users\Peter\AppData\Local\{C5FD1A60-452C-4222-9310-0E9F373EA216}
2013-09-07 19:55 - 2013-09-07 19:55 - 00000000 ____D C:\Users\Peter\AppData\Local\{4FBB8C86-DA40-40CA-8639-17D8143B76A5}

==================== One Month Modified Files and Folders =======

2013-10-06 16:02 - 2012-04-27 17:48 - 00000884 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-06 16:01 - 2009-07-14 06:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-06 16:01 - 2009-07-14 06:45 - 00021904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-06 16:00 - 2010-11-21 08:50 - 00702942 _____ C:\Windows\system32\perfh007.dat
2013-10-06 16:00 - 2010-11-21 08:50 - 00150582 _____ C:\Windows\system32\perfc007.dat
2013-10-06 16:00 - 2009-07-14 07:13 - 01629284 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-06 15:58 - 2012-03-05 21:49 - 00000000 ____D C:\Users\Peter\AppData\Local\Apple
2013-10-06 15:57 - 2012-03-06 22:05 - 00001108 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-06 15:57 - 2012-03-05 20:24 - 01092749 _____ C:\Windows\WindowsUpdate.log
2013-10-06 15:56 - 2013-01-15 19:54 - 00000000 __RSD C:\Users\Peter\Documents\McAfee-Tresore
2013-10-06 15:54 - 2013-09-16 19:21 - 00000000 ___RD C:\Users\Peter\Google Drive
2013-10-06 15:54 - 2013-08-18 18:00 - 00000000 ____D C:\Program Files (x86)\iTunes
2013-10-06 15:54 - 2013-07-26 17:16 - 00015370 _____ C:\Windows\setupact.log
2013-10-06 15:54 - 2012-04-03 22:09 - 00000000 ___RD C:\Users\Peter\Dropbox
2013-10-06 15:54 - 2012-04-03 22:06 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Dropbox
2013-10-06 15:54 - 2012-03-06 22:05 - 00001104 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-06 15:54 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-06 15:53 - 2013-10-06 15:53 - 00001790 _____ C:\Users\Public\Desktop\iTunes.lnk
2013-10-06 15:53 - 2013-10-06 15:52 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-06 15:53 - 2013-10-06 15:52 - 00000000 ____D C:\Program Files\iTunes
2013-10-06 15:53 - 2013-10-06 15:50 - 00000000 ____D C:\Users\Peter\Desktop\Filme
2013-10-06 15:52 - 2013-10-06 15:52 - 00000000 ____D C:\Program Files\iPod
2013-10-06 15:50 - 2012-03-06 22:20 - 00000000 ____D C:\Users\Peter\AppData\Roaming\vlc
2013-10-06 15:44 - 2013-10-06 15:43 - 00000000 ____D C:\Users\Peter\AppData\Local\425413CC-3B97-42D2-B2A1-98DD68070B00.aplzod
2013-10-06 15:44 - 2012-03-05 21:49 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Apple Computer
2013-10-06 15:40 - 2012-03-05 21:49 - 00000000 ____D C:\Users\Peter\AppData\Local\Apple Computer
2013-10-06 15:32 - 2013-10-06 15:32 - 00000000 ____D C:\Users\Peter\AppData\Local\{2AE9B9E8-C6FE-4F76-BEEA-41C686552352}
2013-10-06 14:26 - 2012-03-18 21:02 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{5C497AA6-8DA4-4F51-9231-255D2BE41896}
2013-10-06 14:04 - 2012-03-06 22:40 - 00000000 ____D C:\Users\Peter\AppData\Roaming\KeePass
2013-10-06 10:39 - 2013-10-06 10:39 - 00075776 _____ C:\Users\Peter\Downloads\FRST.txt
2013-10-06 10:37 - 2013-10-06 10:37 - 00035129 _____ C:\Users\Peter\Downloads\Addition.txt
2013-10-06 10:35 - 2013-10-06 10:35 - 00000000 ____D C:\FRST
2013-10-06 10:35 - 2013-10-06 10:34 - 01954124 _____ (Farbar) C:\Users\Peter\Desktop\FRST64.exe
2013-10-06 09:41 - 2013-09-03 11:03 - 00424960 ___SH C:\Users\Peter\Desktop\Thumbs.db
2013-10-06 08:57 - 2012-03-05 22:33 - 00000000 ____D C:\Program Files (x86)\ThumbsPlus 7x deutsch
2013-10-06 07:12 - 2010-11-21 05:47 - 00607682 _____ C:\Windows\PFRO.log
2013-10-06 07:10 - 2013-10-05 14:53 - 00000000 ____D C:\Users\Peter\AppData\Roaming\SimplyTech
2013-10-06 07:10 - 2013-10-05 14:53 - 00000000 ____D C:\Users\Peter\AppData\Roaming\HomeTab
2013-10-05 21:42 - 2013-10-05 14:56 - 00000000 ____D C:\Windows\System32\Tasks\NCH Software
2013-10-05 19:42 - 2013-10-05 19:42 - 00000000 ____D C:\Users\Peter\Desktop\Debut
2013-10-05 19:21 - 2013-10-05 19:20 - 00000000 ____D C:\Users\Peter\AppData\Local\{F42F3FFA-5143-40B9-9F97-04AEBC0A5337}
2013-10-05 18:57 - 2013-10-05 16:33 - 00921624 _____ C:\img2-001.raw
2013-10-05 18:57 - 2012-07-14 21:31 - 00000000 ____D C:\Users\Peter\Tracing
2013-10-05 18:55 - 2013-10-05 16:46 - 00000000 ____D C:\ProgramData\webcam 7
2013-10-05 18:55 - 2013-04-05 10:59 - 02274213 _____ C:\Users\Peter\AppData\Roaming\CamShapes.ini
2013-10-05 18:55 - 2013-04-05 10:59 - 00000408 _____ C:\Users\Peter\AppData\Roaming\CamLayout.ini
2013-10-05 18:55 - 2013-04-05 10:59 - 00000096 _____ C:\Users\Peter\AppData\Roaming\Camdata.ini
2013-10-05 17:02 - 2013-10-05 17:02 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videoverwandte Programme
2013-10-05 17:02 - 2013-10-05 14:55 - 00000000 ____D C:\Users\Peter\AppData\Roaming\NCH Software
2013-10-05 17:02 - 2013-10-05 14:55 - 00000000 ____D C:\ProgramData\NCH Software
2013-10-05 17:02 - 2013-10-05 14:55 - 00000000 ____D C:\Program Files (x86)\NCH Software
2013-10-05 17:00 - 2013-10-05 17:00 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NCH Software Produktpalette
2013-10-05 16:46 - 2013-10-05 16:46 - 00000725 _____ C:\Users\Public\Desktop\webcam 7.lnk
2013-10-05 16:45 - 2013-10-05 16:43 - 14217328 _____ (Moonware Studios) C:\Users\Peter\Downloads\w7inst_1050.exe
2013-10-05 16:36 - 2013-10-05 16:36 - 00000000 ____D C:\Program Files\Microsoft LifeCam
2013-10-05 16:36 - 2013-10-05 16:36 - 00000000 ____D C:\Program Files (x86)\Microsoft LifeCam
2013-10-05 15:58 - 2013-10-05 15:58 - 00001116 _____ C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Malwarebytes
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-10-05 15:58 - 2013-10-05 15:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-10-05 15:57 - 2013-10-05 15:57 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Peter\Downloads\mbam-setup-1.75.0.1300.exe
2013-10-05 15:52 - 2013-10-05 15:08 - 00000000 ____D C:\Windows\86CA3695A4124BAE92B649A60C2AC663.TMP
2013-10-05 15:52 - 2012-04-13 19:09 - 00000000 ____D C:\Windows\system32\appmgmt
2013-10-05 15:09 - 2013-10-05 15:09 - 00000000 _____ C:\autoexec.bat
2013-10-05 15:08 - 2013-10-05 15:08 - 00000000 ____D C:\Program Files\Enigma Software Group
2013-10-05 15:06 - 2013-10-05 15:06 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\Peter\Downloads\SpyHunter-Installer.exe
2013-10-05 14:55 - 2013-10-05 14:55 - 00000000 ____D C:\SoloApp
2013-10-05 14:55 - 2013-10-05 14:55 - 00000000 ____D C:\Program Files (x86)\foxydeal
2013-10-05 14:55 - 2013-10-05 14:53 - 00000000 ____D C:\Users\Peter\AppData\Local\DownloadGuide
2013-10-05 14:54 - 2013-10-05 14:54 - 00000000 ____D C:\Windows\System32\Tasks\Browser Updater
2013-10-05 14:54 - 2012-03-05 20:24 - 00000000 ___RD C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-10-05 14:53 - 2013-10-05 14:53 - 00000000 ____D C:\Windows\System32\Tasks\ProtectedSearch
2013-10-05 14:53 - 2013-10-05 14:52 - 00478552 _____ C:\Users\Peter\Downloads\debutsetup-Downloader.exe
2013-10-05 14:53 - 2013-10-01 07:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-10-05 14:53 - 2012-03-05 22:24 - 00003820 _____ C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar
2013-10-05 14:48 - 2013-10-05 14:48 - 00000000 ____D C:\Program Files (x86)\Softonic
2013-10-05 14:47 - 2013-10-05 14:47 - 00000646 _____ C:\Users\Public\Desktop\CamStudio-Recorder.lnk
2013-10-05 14:47 - 2013-10-05 14:47 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Softonic
2013-10-05 14:19 - 2012-03-09 20:56 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-10-04 21:18 - 2013-10-04 21:18 - 01586314 _____ C:\Users\Peter\Desktop\Report - Monatswerte NEU.xlsx
2013-10-03 18:10 - 2013-10-03 18:09 - 00000000 ____D C:\Users\Peter\AppData\Local\{7A7F492A-5CCC-4350-8FA1-0A949E4D03CC}
2013-10-03 06:55 - 2012-04-24 17:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-10-02 07:08 - 2012-03-05 20:27 - 00000000 ____D C:\Users\Peter\AppData\Local\Mozilla
2013-10-01 09:43 - 2013-10-01 09:38 - 97176400 _____ (Apple Inc.) C:\Users\Peter\Downloads\iTunes64Setup(1).exe
2013-09-30 20:34 - 2013-09-30 20:28 - 97176400 _____ (Apple Inc.) C:\Users\Peter\Downloads\iTunes64Setup.exe
2013-09-30 18:41 - 2013-09-30 18:41 - 00000000 ____D C:\Users\Peter\AppData\Local\{A14E9CCA-8D5C-4D29-884F-B89D17C113DD}
2013-09-29 21:54 - 2012-08-31 21:27 - 01602628 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-09-29 15:02 - 2013-09-29 15:02 - 00000000 ____D C:\Users\Peter\AppData\Local\{F19D8B91-8397-477D-8D9F-14D82EB0491A}
2013-09-28 18:43 - 2013-04-05 07:55 - 00000000 ____D C:\Users\Peter\AppData\Roaming\FileZilla
2013-09-28 10:49 - 2013-03-23 15:51 - 00000000 ____D C:\Users\Peter\AppData\Local\Deployment
2013-09-28 10:38 - 2013-09-28 10:37 - 17613436 _____ (Yoono                                                       ) C:\Users\Peter\Downloads\yoono-desktop-1.8.43.exe
2013-09-28 10:16 - 2013-09-28 10:16 - 00000000 ____D C:\Users\Peter\AppData\Roaming\sobees Ltd
2013-09-28 10:15 - 2013-09-28 10:15 - 00001130 _____ C:\Users\Peter\Desktop\Die Stunde des Jägers - Verknüpfung.lnk
2013-09-28 10:00 - 2013-09-28 10:00 - 00437208 _____ () C:\Users\Peter\Downloads\SobeesSetup.exe
2013-09-27 20:42 - 2013-09-27 20:42 - 00000268 _____ C:\Users\Peter\Desktop\Will Jobs & Karriere - Super schnell zum super Job auf willhaben.at.URL
2013-09-27 16:54 - 2013-09-27 16:54 - 00067535 _____ C:\Users\Peter\Downloads\wp-user-avatar.1.6.1.zip
2013-09-26 08:20 - 2013-09-26 08:20 - 00000000 ____D C:\Users\Peter\AppData\Local\{F34F65F1-3346-4362-8ED2-CD566AB59BFB}
2013-09-25 16:57 - 2013-09-18 16:40 - 00000000 ____D C:\Users\Peter\Desktop\Musik Rosi
2013-09-25 15:26 - 2013-09-25 15:25 - 00000000 ____D C:\Users\Peter\AppData\Local\{5EA242D1-6254-4A81-98D0-BA4D494B35B6}
2013-09-25 15:25 - 2013-09-25 15:25 - 00000000 ____D C:\Users\Peter\AppData\Local\{51512760-C871-427F-96DD-233F202B0471}
2013-09-25 13:49 - 2013-09-25 13:49 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Vorlagen
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Startmenü
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Netzwerkumgebung
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Lokale Einstellungen
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Eigene Dateien
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Druckumgebung
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Documents\Eigene Musik
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Documents\Eigene Bilder
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Roaming\Microsoft\Windows\Start Menu\Programme
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Local\Verlauf
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\AppData\Local\Anwendungsdaten
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 _SHDL C:\Users\NeroMediaHomeUser.4\Anwendungsdaten
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\Peter\AppData\Local\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\NeroMediaHomeUser.4\AppData\Local\Nero
2013-09-25 13:48 - 2013-09-25 13:48 - 00000000 ____D C:\Users\NeroMediaHomeUser.4
2013-09-25 13:48 - 2012-03-06 21:05 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Nero
2013-09-25 13:48 - 2012-03-06 08:16 - 00000000 ____D C:\ProgramData\Nero
2013-09-24 12:34 - 2013-09-24 12:34 - 00000000 ____D C:\Users\Peter\AppData\Local\{EF1D45A0-CE13-4684-8386-9C4F7B7F997D}
2013-09-24 12:33 - 2013-09-24 12:33 - 00000000 ____D C:\Users\Peter\AppData\Local\{F3756F47-91E3-4CE8-85B9-62C75C52EF18}
2013-09-20 19:02 - 2012-04-27 17:48 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-20 19:02 - 2012-04-27 17:48 - 00003822 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-09-20 19:02 - 2012-03-05 20:25 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-16 19:21 - 2012-03-05 20:24 - 00000000 ____D C:\Users\Peter
2013-09-16 19:11 - 2012-03-06 22:05 - 00000000 ____D C:\Users\Peter\AppData\Local\Google
2013-09-16 19:11 - 2012-03-06 22:05 - 00000000 ____D C:\Program Files (x86)\Google
2013-09-16 19:08 - 2013-09-16 19:08 - 00784832 _____ (Google Inc.) C:\Users\Peter\Downloads\googledrivesync.exe
2013-09-16 08:54 - 2013-04-05 07:53 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2013-09-16 08:54 - 2013-04-05 07:53 - 00000000 ____D C:\Program Files (x86)\FileZilla FTP Client
2013-09-14 09:16 - 2009-07-14 06:45 - 00384080 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-13 21:39 - 2012-03-05 20:24 - 00096944 _____ C:\Users\Peter\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-13 21:26 - 2013-09-13 21:26 - 00000000 ____D C:\Users\Peter\AppData\Roaming\OpenOffice
2013-09-13 21:25 - 2013-09-13 21:25 - 00000000 ____D C:\Program Files (x86)\OpenOffice 4
2013-09-13 21:08 - 2013-09-13 21:08 - 00614816 _____ C:\Users\Peter\Downloads\OpenOffice - CHIP-Downloader.exe
2013-09-12 23:13 - 2013-09-12 23:13 - 00320512 _____ C:\Windows\SysWOW64\LiveWrapRTSP.dll
2013-09-12 08:07 - 2013-09-12 08:07 - 00000000 ____D C:\Windows\rescache
2013-09-12 06:55 - 2012-03-05 20:24 - 00000000 ___RD C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-11 21:36 - 2013-08-14 22:25 - 00000000 ____D C:\Windows\system32\MRT
2013-09-11 21:35 - 2012-03-19 09:13 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-11 21:35 - 2012-03-05 20:46 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-11 17:19 - 2013-09-11 17:19 - 01128019 _____ C:\Users\Peter\Downloads\wordpress-seo.1.4.15.zip
2013-09-11 09:27 - 2013-09-11 09:27 - 00070274 _____ C:\Users\Peter\Downloads\mini-twitter-feed.2.0.1.zip
2013-09-09 11:11 - 2013-09-27 17:40 - 00074560 _____ (McAfee, Inc.) C:\Windows\system32\Drivers\McPvDrv.sys
2013-09-08 17:55 - 2013-09-08 17:54 - 00000000 ____D C:\Users\Peter\AppData\Local\{C5FD1A60-452C-4222-9310-0E9F373EA216}
2013-09-07 19:55 - 2013-09-07 19:55 - 00000000 ____D C:\Users\Peter\AppData\Local\{4FBB8C86-DA40-40CA-8639-17D8143B76A5}
2013-09-06 11:25 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF

Files to move or delete:
====================
C:\Users\Peter\AppData\Roaming\Camdata.ini
C:\Users\Peter\AppData\Roaming\CamLayout.ini
C:\Users\Peter\AppData\Roaming\CamShapes.ini
C:\ProgramData\nud0repor.pad


Some content of TEMP:
====================
C:\Users\Peter\AppData\Local\Temp\apptorun.exe
C:\Users\Peter\AppData\Local\Temp\ffmpeg15.exe
C:\Users\Peter\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Peter\AppData\Local\Temp\mp3el.exe
C:\Users\Peter\AppData\Local\Temp\pixsetup.exe
C:\Users\Peter\AppData\Local\Temp\prismsetup.exe
C:\Users\Peter\AppData\Local\Temp\SHSetup.exe
C:\Users\Peter\AppData\Local\Temp\Softonic_chr_1-8-19-3.exe
C:\Users\Peter\AppData\Local\Temp\vlc-2.0.7-win32.exe
C:\Users\Peter\AppData\Local\Temp\vpsetup.exe
C:\Users\Peter\AppData\Local\Temp\_is7C0D.exe
C:\Users\Peter\AppData\Local\Temp\_is8BEC.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-10-01 08:29

==================== End Of Log ============================
         
--- --- ---
__________________

Alt 09.10.2013, 07:58   #4
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 1:

Code:
ATTFilter
GMER 2.1.19163 - hxxp://www.gmer.net
Rootkit scan 2013-10-07 21:36:14
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Corsair_ rev.1.3. 111,79GB
Running: gmer.exe; Driver: C:\Users\Peter\AppData\Local\Temp\kwloapow.sys


---- Kernel code sections - GMER 2.1 ----

INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544                                                                                                fffff800039a5000 45 bytes [00, 00, 10, 02, 4D, 6D, 43, ...]
INITKDBG  C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 591                                                                                                fffff800039a502f 16 bytes [00, 18, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text     C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                         0000000077931570 6 bytes [48, B8, F0, 12, A9, 01]
.text     C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                     0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bitdefender\Bitdefender\vsserv.exe[988] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1                                            0000000077859301 11 bytes [B8, F0, 12, C5, 01, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                             00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                            00000000776ca405 3 bytes [B8, B9, E3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                                            00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                          00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                             00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                             00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                         00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                     00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                       00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                       00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                             00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!ShowWindow                                                                                  00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                              00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                            00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                            00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                             00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                          00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                          00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                            00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                            00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                            00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!GetMessageW                                                                                 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                 00000000776da2c9 3 bytes [B8, 79, F3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                              00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                              00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                           00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                           00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                             00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                             00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                       00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                      00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                           00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                           00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                           0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                           0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                          000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                          000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                           000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\atiesrxx.exe[1216] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                           000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                  000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                  000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!closesocket                                                                                  000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                               000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                  000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                  000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                                 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!connect                                                                                      000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!send + 1                                                                                     000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                                000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                            000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                   000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                   000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                     000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                     000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                               000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1304] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                       000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
         

Alt 09.10.2013, 07:58   #5
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 2:

Code:
ATTFilter
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                       000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                  000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                  000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!closesocket                                                                                  000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                               000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                  000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                  000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                                 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!connect                                                                                      000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!send + 1                                                                                     000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                                000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                            000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                   000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                   000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                     000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                     000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1376] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                               000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
         


Alt 09.10.2013, 08:00   #6
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 3:

Code:
ATTFilter
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                  000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                  000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!closesocket                                                                                  000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                               000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                  000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                  000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                                 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!connect                                                                                      000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!send + 1                                                                                     000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                                000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                            000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                   000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                   000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                     000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                     000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                               000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 165                                                                   000007feec293eb1 3 bytes [B8, B9, F1]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiDecomposeDescriptorW + 169                                                                   000007feec293eb5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiQueryProductStateA + 1                                                                       000007feec310aa5 11 bytes [B8, 39, 46, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiInstallProductA + 1                                                                          000007feec310f21 3 bytes [B8, B9, 42]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiInstallProductA + 5                                                                          000007feec310f25 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiQueryProductStateW + 1                                                                       000007feec31f73d 11 bytes [B8, F9, 47, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiInstallProductW + 1                                                                          000007feec31faa9 3 bytes [B8, 79, 44]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiInstallProductW + 5                                                                          000007feec31faad 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiOpenDatabaseW + 1                                                                            000007feec33812d 11 bytes [B8, F9, 40, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 1                                                                            000007feec338359 3 bytes [B8, 39, 3F]
.text     C:\Windows\system32\svchost.exe[1416] C:\Windows\system32\msi.dll!MsiOpenDatabaseA + 5                                                                            000007feec33835d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1776] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                  0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                              0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                             00000000776ca405 3 bytes [B8, B9, E3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                                             00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                             00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 79, F3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\System32\spoolsv.exe[1912] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
         

Alt 09.10.2013, 08:01   #7
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 4:

Code:
ATTFilter
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                  000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                  000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!closesocket                                                                                  000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                               000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                  000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                  000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                                 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!connect                                                                                      000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!send + 1                                                                                     000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                                000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                            000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                   000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                   000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                     000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                     000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                               000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                0000000077adf928 5 bytes JMP 0000000175ba6661
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                    0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                    0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                              0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                         0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                       0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                         0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                              0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                       0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                          0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                           0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                            0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                          0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                             0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                               0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                              0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                             0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                            0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                           0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                               0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                           0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                         0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                     0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                       0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                               0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                 0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                               0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                         0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                 0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                         00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                          00000000756b1072 5 bytes JMP 0000000075ba2911
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                            00000000756b4977 5 bytes JMP 0000000075ba2521
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                  00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!Process32NextW                                          00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!WinExec                                                 0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                       0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                       0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                            00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                            0000000075757372 5 bytes JMP 0000000075ba45c1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                               0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                           000000007599c428 5 bytes JMP 0000000075ba37b1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                    000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                           000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                       000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                          00000000759a134a 5 bytes JMP 0000000075ba3721
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                            00000000759a1371 5 bytes JMP 0000000075ba3691
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                      00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                        00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                        00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                        00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                           00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                      00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                               00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                 00000000759a4489 5 bytes JMP 0000000075ba2371
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                          00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                    00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                           00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                                000000007734a472 5 bytes JMP 0000000175ba6811
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                                00000000773527ce 5 bytes JMP 0000000175ba1b91
.text     D:\Programme2\Elements 10 Organizer\PhotoshopElementsFileAgent.exe[1440] C:\Windows\syswow64\msvcrt.dll!__p__environ                                              000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                      0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                          0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                          0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                    0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                               0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                             0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                               0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                    0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                             0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                  0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                   0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                     0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                    0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                   0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                  0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                     0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                               0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                           0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                             0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                     0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                       0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                     0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                               0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                       0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                               00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                  00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                        00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                      00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!WinExec                                                       0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                             0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                             0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                  00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                  0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                     0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                 000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                          000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                             000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                  00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                            00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                              00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                              00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                              00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                            00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                     00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                       00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                          00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!GetMessageW                                                     00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!GetMessageA                                                     00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                 00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowW                                                     00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                         00000000775db6ed 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                 00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowA                                                     00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                   00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                    00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!ShowWindow                                                      00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageW                                                    00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                  00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!PostMessageA                                                    00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                    00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                  00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                               00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                  00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                               00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                      00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                             00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                   00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                   00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                   000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2056] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                   000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                      0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtClose                          0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess          0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                    0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection               0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection             0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess               0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                    0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory             0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                 0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                  0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                   0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                     0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                    0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                   0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                  0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                 0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                     0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                 0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread               0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation           0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl             0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                     0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter       0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx     0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!RtlReportException               0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters       0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA               00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateProcessA                00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                  00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW        00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot      00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!Process32NextW                00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!WinExec                       0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA             0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW             0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                  00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                  0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime     0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                 000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory          000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                 000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW             000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                  00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW            00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress              00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW              00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA              00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                 00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA            00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                     00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!Sleep                       00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread          00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                 00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                  000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                  0000000077532bf0 5 bytes JMP 0000000175ba3841
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle            000000007753369c 5 bytes JMP 0000000175ba3cc1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222           00000000775349e5 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                000000007754712c 5 bytes JMP 0000000175ba3f01
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!ControlService                0000000077547144 5 bytes JMP 0000000175ba3a81
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                 000000007754715c 5 bytes JMP 0000000175ba3b11
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA          00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW          00000000775630f8 5 bytes JMP 0000000175ba3c31
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA             0000000077563108 5 bytes JMP 0000000175ba3961
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW             0000000077563118 5 bytes JMP 0000000175ba39f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                0000000077563158 5 bytes JMP 0000000175ba3e71
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!GetMessageW                     00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!GetMessageA                     00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!CreateWindowExW                 00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!FindWindowW                     00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize         00000000775db6ed 5 bytes JMP 0000000175ba68a1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!CreateWindowExA                 00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!FindWindowA                     00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!FindWindowExA                   00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!PeekMessageW                    00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!ShowWindow                      00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!PostMessageW                    00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!SetWindowTextW                  00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!PostMessageA                    00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!PeekMessageA                    00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!CallNextHookEx                  00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW               00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!SetWindowTextA                  00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA               00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW      00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx             00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!FindWindowExW                   00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW   00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!MessageBoxExA                   000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2128] C:\Windows\syswow64\USER32.dll!MessageBoxExW                   000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                   00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                   00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                        0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                    0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                            00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                        00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                            0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                        0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                      0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                  0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                 0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                             0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                               0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                           0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                 0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                             0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                      0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                  0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                               0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                           0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                  0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                              0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                   0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                               0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                    0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                  0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                              0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                     0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                 0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                       0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                   0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                      00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                  00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                     0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                 0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                    0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
         

Alt 09.10.2013, 08:02   #8
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 5:

Code:
ATTFilter
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                   0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                               0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                       00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                   00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                   00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                               00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                 00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                             00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                             00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                         00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                               0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                           0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                       0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                   0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                             00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                             00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                              00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                        00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                          00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                             00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                             00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                           0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                           0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                    000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                    000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                               000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                               000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                            000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                            000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                  000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                            000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                            000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                            000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                        000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                       000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                              000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                       000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                       000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!closesocket                                                                       000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                    000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                       000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                       000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                      000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!connect                                                                           000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!send + 1                                                                          000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                     000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                 000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!socket + 1                                                                        000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!socket + 5                                                                        000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!recv + 1                                                                          000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!recv + 5                                                                          000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Bonjour\mDNSResponder.exe[2220] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                    000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                               0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                   0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                   0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                             0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                        0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                      0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                        0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                             0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                      0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                         0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                          0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                           0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                         0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                            0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                              0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                             0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                            0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                           0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                          0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                              0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                          0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                        0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                    0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                      0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                              0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                                0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                              0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                        0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                                0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                        00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                         00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                           00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                               00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                         00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!WinExec                                                                0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                      0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                      0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                           00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                           0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                              0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                          000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                   000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                          000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                      000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                         00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                           00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                     00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                       00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                       00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                       00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                          00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                     00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                              00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                                00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                         00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                   00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                          00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!GetMessageW                                                              00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!GetMessageA                                                              00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                          00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!FindWindowW                                                              00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                                  00000000775db6ed 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                          00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!FindWindowA                                                              00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                            00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                             00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!ShowWindow                                                               00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!PostMessageW                                                             00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                           00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!PostMessageA                                                             00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                             00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                           00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                        00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                           00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                        00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                               00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                      00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                            00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                            00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                            000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                            000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!closesocket                                                              0000000076eb3918 5 bytes JMP 0000000175ba5851
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                                               0000000076eb3cd3 5 bytes JMP 0000000175ba57c1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!socket                                                                   0000000076eb3eb8 5 bytes JMP 0000000175ba60c1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!WSASend                                                                  0000000076eb4406 5 bytes JMP 0000000175ba20a1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                                             0000000076eb4889 5 bytes JMP 0000000175ba5191
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!recv                                                                     0000000076eb6b0e 5 bytes JMP 0000000175ba6271
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!connect                                                                  0000000076eb6bdd 1 byte JMP 0000000175ba3de1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!connect + 2                                                              0000000076eb6bdf 3 bytes {CALL RCX}
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!send                                                                     0000000076eb6f01 5 bytes JMP 0000000175ba2011
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                                  0000000076eb7089 5 bytes JMP 0000000175ba6301
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                               0000000076ebcc3f 5 bytes JMP 0000000175ba61e1
.text     C:\Program Files (x86)\devolo\dlan\devolonetsvc.exe[2288] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                                            0000000076ec7673 5 bytes JMP 0000000175ba5221
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                               00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                               00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                    0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                        00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                    00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                        0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                    0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                  0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                              0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                             0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                         0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                           0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                       0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                             0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                         0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                  0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                              0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                           0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                       0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                              0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                          0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                               0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                           0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                            0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                              0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                          0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                             0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                   0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                               0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                  00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                              00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                             0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                            0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                               0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                           0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                   00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                               00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                               00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                           00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                             00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                         00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                         00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                     00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                           0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                       0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                   0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                               0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                         00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                         00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                          00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                    00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                      00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                         00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                         00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                       0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                       0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                           000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                           000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                        000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                        000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                            000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                              000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                        000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                        000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                            000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                        000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                    000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                   000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                          000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                   000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                   000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!closesocket                                                                   000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                   000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                   000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                  000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!connect                                                                       000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!send + 1                                                                      000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                 000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                             000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!socket + 1                                                                    000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!socket + 5                                                                    000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!recv + 1                                                                      000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!recv + 5                                                                      000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\dtpd.exe[2316] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2344] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                       000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                               00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                               00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                    0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                        00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                    00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                        0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
         

Alt 09.10.2013, 08:03   #9
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER TEil 6:

Code:
ATTFilter
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                    0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                  0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                              0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                             0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                         0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                           0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                       0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                             0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                         0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                  0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                              0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                           0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                       0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                              0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                          0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                               0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                           0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                            0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                              0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                          0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                 0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                             0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                   0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                               0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                  00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                              00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                 0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                             0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                            0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                               0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                           0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                   00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                               00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                               00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                           00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                             00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                         00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                         00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                     00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                           0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                       0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                   0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                               0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                         00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                         00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                          00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                    00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                      00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                         00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                         00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                       0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                       0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                           000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                           000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                        000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                        000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                            000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                              000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                        000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                        000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                            000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                        000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                    000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                   000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                          000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                   000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                   000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!closesocket                                                                   000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                   000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                   000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                  000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!connect                                                                       000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!send + 1                                                                      000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                 000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                             000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!socket + 1                                                                    000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!socket + 5                                                                    000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!recv + 1                                                                      000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!recv + 5                                                                      000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\iked.exe[2368] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                 000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                 000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!closesocket                                                                 000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                              000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                 000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                 000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!connect                                                                     000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!send + 1                                                                    000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!gethostbyname                                                               000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                           000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!socket + 1                                                                  000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!socket + 5                                                                  000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!recv + 1                                                                    000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!recv + 5                                                                    000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe[2424] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                              000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                   00000000771b1465 2 bytes [1B, 77]
.text     C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                  00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                   0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                 0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                               0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                  0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                 00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                          0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                  0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                              0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                         000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                         000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                             000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                             000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                       000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                       000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                          000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                      000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                           000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                       000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Program Files\Microsoft LifeCam\MSCamS64.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                       000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                          000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                      000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                                000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                           000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                       000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                       000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                         000007feffb30761 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                         000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                             000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                             000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                       000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[2724] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                       000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                     0000000077931570 5 bytes [48, B8, F0, 12, 2F]
.text     C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                 0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe[2768] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1                                        0000000077859301 11 bytes [B8, F0, 12, B3, 01, 00, 00, ...]
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                        0000000077adf928 5 bytes JMP 0000000175ba6661
         

Alt 09.10.2013, 08:04   #10
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER TEil 7:

Code:
ATTFilter
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtClose                                            0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                            0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                      0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                 0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                               0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                 0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                      0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                               0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                  0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                   0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                    0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                  0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                     0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                       0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                      0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                     0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                    0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                   0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                       0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                   0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                 0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                             0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                               0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                       0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                         0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                       0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                 0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                         0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                 00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                  00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                    00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                          00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                        00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!Process32NextW                                  00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!WinExec                                         0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                               0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                               0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                    00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                    0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                       0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                   000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                            000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                   000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                               000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                  00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                    00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                              00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                   00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                              00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                       00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                         00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                  00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                            00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                   00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                        000000007734a472 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                        00000000773527ce 5 bytes JMP 0000000175ba1b91
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\msvcrt.dll!__p__environ                                      000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!closesocket                                       0000000076eb3918 5 bytes JMP 0000000175ba5851
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                        0000000076eb3cd3 5 bytes JMP 0000000175ba57c1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!socket                                            0000000076eb3eb8 5 bytes JMP 0000000175ba60c1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!WSASend                                           0000000076eb4406 5 bytes JMP 0000000175ba20a1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                      0000000076eb4889 5 bytes JMP 0000000175ba5191
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!recv                                              0000000076eb6b0e 5 bytes JMP 0000000175ba6271
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!connect                                           0000000076eb6bdd 1 byte JMP 0000000175ba3de1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!connect + 2                                       0000000076eb6bdf 3 bytes {CALL RCX}
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!send                                              0000000076eb6f01 5 bytes JMP 0000000175ba2011
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!WSARecv                                           0000000076eb7089 5 bytes JMP 0000000175ba6301
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                        0000000076ebcc3f 5 bytes JMP 0000000175ba61e1
.text     C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe[2836] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                     0000000076ec7673 5 bytes JMP 0000000175ba5221
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                          000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                      000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                                000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                           000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                       000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                       000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                         000007feffb30761 3 bytes [B8, 39, EE]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                         000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                             000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                             000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                       000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\System32\svchost.exe[3068] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                       000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                      00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                      00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                           0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                       0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                               00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                           00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                               0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                           0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                         0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                     0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                    0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                  0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                              0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                    0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                         0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                     0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                  0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                              0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                     0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                 0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                      0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                  0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                       0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                   0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                     0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                 0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                        0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                    0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                          0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                      0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                         00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                     00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                        0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                    0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                       0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                   0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                      0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                  0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                          00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                      00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                      00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                  00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                    00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                            00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                  0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                              0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                          0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                      0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                 00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                           00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                             00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                              0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                              0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!ReadConsoleW                                       000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\kernel32.dll!ReadConsoleA                                       000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                  000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                  000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                               000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                               000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                   000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                     000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                               000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                               000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                   000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                               000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                           000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                          000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                 000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                     000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                     000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                               000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                               000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                  000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                        000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                              000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                        000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                   000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                               000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                               000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2104] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                               000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                     00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                     00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                          0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                      0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                              00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                          00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                              0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                          0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                        0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                    0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                               0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                 0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                             0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                   0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                               0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                        0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                    0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                             0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                    0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                     0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                 0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                      0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                  0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                    0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                       0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                   0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                         0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                     0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                        00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                    00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                   0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                      0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                  0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                     0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                 0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                         00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                     00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                     00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                 00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                   00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                               00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                               00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                           00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                 0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                             0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                         0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                     0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                               00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                               00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                          00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                            00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                               00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                               00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                             0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                             0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleW                                      000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\kernel32.dll!ReadConsoleA                                      000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                 000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                 000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                              000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                              000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                  000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                    000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                              000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                              000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                  000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                              000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                          000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                         000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                    000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                    000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                              000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                              000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                 000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                       000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                             000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                       000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                  000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                              000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3220] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                              000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
         

Alt 09.10.2013, 08:05   #11
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 8:

Code:
ATTFilter
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                          000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                      000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                                000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                           000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                       000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                       000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                         000007feffb30761 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                         000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                             000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                             000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                       000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                       000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                        000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                        000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                            000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                            000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                      000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                      000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                         000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                               000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                     000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                               000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                          000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                      000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\System32\WUDFHost.exe[2552] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                      000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                        00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                        00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                             0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                         0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                 00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                             00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                 0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                             0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                           0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                       0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                      0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                  0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                    0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                      0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                  0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                           0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                       0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                    0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                       0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                   0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                        0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                    0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                         0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                     0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                       0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                   0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                          0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                      0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                            0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                        0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                           00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                       00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                          0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                      0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                         0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                     0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                        0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                    0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                            00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                        00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                        00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                    00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                      00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                  00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                  00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                              00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                    0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                            0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                        0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                  00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                  00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                   00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                             00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                               00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                  00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                  00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                         000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                         000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                    000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                    000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                 000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                 000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                     000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                       000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                 000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                 000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                     000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                 000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                             000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                            000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                   000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                   000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                   000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                       000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                       000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                 000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                 000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                    000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                          000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                          000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                     000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                 000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\SearchIndexer.exe[3868] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                 000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                             00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                            00000000776ca405 3 bytes [B8, B9, E3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                                            00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                          00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                             00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                             00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                         00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                     00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                       00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                       00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                             00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!ShowWindow                                                                                  00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                              00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                            00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                            00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                             00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                          00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                          00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                            00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                            00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                            00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!GetMessageW                                                                                 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                 00000000776da2c9 3 bytes [B8, 79, F3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                              00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                              00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                           00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                           00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                             00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                             00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                       00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                      00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                           00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                           00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                           0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                           0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                          000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                          000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                           000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\atieclxx.exe[3764] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                           000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                                  00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
         

Alt 09.10.2013, 08:06   #12
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 9:

Code:
ATTFilter
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                                  00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                       0000000077931330 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                                   0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                           00000000779313a0 6 bytes [48, B8, 39, B6, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                       00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                           0000000077931470 6 bytes [48, B8, F9, A2, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                       0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                     0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                                 0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                            0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                              0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                          0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                0000000077931570 6 bytes [48, B8, 39, A1, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                            0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                     0000000077931620 6 bytes [48, B8, B9, CE, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                                 0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                              0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                          0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                 0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                             0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                  0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                              0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                   0000000077931750 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                               0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                 0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                             0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                    0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                                0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                      0000000077931800 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                                  0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                     00000000779318b0 6 bytes [48, B8, 79, D7, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                                 00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                    0000000077931c80 6 bytes [48, B8, F9, CC, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                                0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                   0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                               0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                  0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                              0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                      00000000779320a0 6 bytes [48, B8, F9, B7, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                                  00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                                  00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                              00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                            00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                            00000000779329a0 6 bytes [48, B8, B9, B9, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                        00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                              0000000077932aa0 6 bytes [48, B8, B9, D5, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                          0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                      0000000077932b80 6 bytes [48, B8, B9, C7, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                                  0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                            00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                            00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                             00000000777c20f1 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                       00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                         00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                            00000000777e1e31 3 bytes [B8, F9, C5]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                            00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                          0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                          0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                                   000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                                   000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                              000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                              000007fefda02db1 11 bytes [B8, 39, A8, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                           000007fefda03461 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                           000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                               000007fefda08ef0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                                 000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                           000007fefda0bfd1 3 bytes [B8, B9, A4]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                           000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                               000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                           000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                       000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                      000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                             000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                                  00000000776ca2e0 12 bytes [48, B8, 39, 8C, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                                 00000000776ca405 3 bytes [B8, 79, C9]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                                                 00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                               00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                                  00000000776cd265 7 bytes [B8, 39, AF, 08, 76, 00, 00]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                                  00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                              00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                          00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                            00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                            00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                                  00000000776d0810 12 bytes [48, B8, 79, 8A, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!ShowWindow                                                                                       00000000776d1930 6 bytes [48, B8, F9, 8D, 08, 76]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                                   00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                                 00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                                 00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                                  00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                               00000000776d7055 3 bytes [B8, 79, 98]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                               00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                                 00000000776d76e5 11 bytes [B8, 39, CB, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                                 00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                                 00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!GetMessageW                                                                                      00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                      00000000776da2c9 3 bytes [B8, 39, D9]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                      00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                                   00000000776e4efd 3 bytes [B8, 79, 91]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                                   00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                                00000000776e7469 3 bytes [B8, B9, 8F]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                                00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                                  00000000776e8271 7 bytes [B8, B9, AB, 08, 76, 00, 00]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                                  00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                            00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                           00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                                00000000776e8d21 7 bytes [B8, F9, B0, 08, 76, 00, 00]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                                00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                                0000000077731371 11 bytes [B8, 39, 93, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                                0000000077731395 11 bytes [B8, F9, 94, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                               000000007773d379 3 bytes [B8, B9, 96]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                               000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                                000000007773dae1 7 bytes [B8, 79, AD, 08, 76, 00, 00]
.text     C:\Windows\system32\Dwm.exe[3152] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                                000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                                      00000000779192d1 5 bytes [B8, B9, 50, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                                      00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                               0000000077931470 6 bytes [48, B8, B9, 57, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                           0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                         0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                                     0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                                    0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                                0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                                  0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                              0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    0000000077931570 6 bytes [48, B8, F9, 55, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                                0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         0000000077931620 6 bytes [48, B8, F9, 71, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                                     0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                                  0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                              0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                                     0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                                 0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                                      0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                                  0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       0000000077931750 6 bytes [48, B8, B9, 73, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                                   0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                                     0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                                 0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                                    0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                         00000000779318b0 6 bytes [48, B8, 39, 77, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                                     00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                        0000000077931c80 6 bytes [48, B8, 39, 70, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                                    0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                                       0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                                   0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                                  0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000779320a0 6 bytes [48, B8, 79, 60, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                                      00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                                    00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                                00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000779329a0 6 bytes [48, B8, 39, 62, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                            00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  0000000077932aa0 6 bytes [48, B8, 79, 75, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                              0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                          0000000077932b80 6 bytes [48, B8, 79, 67, 08, 76]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                                      0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                           00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                             00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                                00000000777e1e31 3 bytes [B8, B9, 65]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                                00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                               000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                           000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                          000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                                 000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                                 000007feffb30761 3 bytes [B8, F9, 78]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                                 000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                                     000007feffb33b44 12 bytes [48, B8, 39, 54, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                                     000007feffb4b704 12 bytes [48, B8, 79, 52, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                               000007feffb4b870 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                               000007feffb4b8dc 12 bytes [48, B8, B9, 49, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                                  000007feffaf642d 11 bytes [B8, 39, 46, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                                        000007feffaf6484 12 bytes [48, B8, F9, 40, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                              000007feffaf6519 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                                        000007feffaf6c34 12 bytes [48, B8, 39, 3F, 08, 76, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                                   000007feffaf7ab5 11 bytes [B8, F9, 47, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                               000007feffaf8b01 11 bytes [B8, B9, 42, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                               000007feffaf8c39 11 bytes [B8, 79, 44, 08, 76, 00, 00, ...]
.text     C:\Windows\Explorer.EXE[2124] C:\Windows\system32\WS2_32.dll!connect                                                                                              000007feff8745c0 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                             00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                                            00000000776ca405 3 bytes [B8, B9, E3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                                            00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                          00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                             00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                             00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                         00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                     00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                       00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                       00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                             00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!ShowWindow                                                                                  00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                              00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                            00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                            00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                             00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                          00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                          00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                                            00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                            00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                            00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!GetMessageW                                                                                 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                 00000000776da2c9 3 bytes [B8, 79, F3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                              00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                              00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                           00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                           00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                             00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                             00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                       00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                      00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                           00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                           00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                           0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                           0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                          000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                          000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                           000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                           000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\taskhost.exe[4676] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                                      000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                             00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                             00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                  0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                              0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                      00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                  00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                      0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                  0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                            0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                           0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                       0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                         0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                     0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                           0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                       0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                            0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                         0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                     0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                            0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                        0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                             0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                         0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                              0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                          0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                            0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                        0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                               0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                           0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                 0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                             0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                            00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                               0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                           0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                              0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                          0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                             0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                         0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                 00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                             00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                             00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                         00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                           00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                       00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                       00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                   00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                         0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                     0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                 0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                             0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                       00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                       00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                        00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                  00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                    00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                       00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                       00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                     0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                     0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                              000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                              000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                         000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                         000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                      000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                      000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                          000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                            000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                      000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                      000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                          000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                      000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                  000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                 000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                        000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!CreateWindowExA                                                             00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PostMessageA + 1                                                            00000000776ca405 3 bytes [B8, B9, E3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PostMessageA + 5                                                            00000000776ca409 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                          00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                             00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                             00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                         00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                     00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                       00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                       00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!CreateWindowExW                                                             00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!ShowWindow                                                                  00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                              00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                            00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                            00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                             00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                          00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                          00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PostMessageW + 1                                                            00000000776d76e5 11 bytes [B8, 79, E5, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                            00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                            00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!GetMessageW                                                                 00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                 00000000776da2c9 3 bytes [B8, 79, F3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                 00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                              00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                              00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                           00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                           00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                             00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                             00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                       00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
         

Alt 09.10.2013, 08:07   #13
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 10:

Code:
ATTFilter
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                      00000000776e8c2a 2 bytes [50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                           00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                           00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                           0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                           0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                          000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                          000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                           000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                           000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[5104] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                      000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                            00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                            00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                 0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                             0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                     00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                 00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                     0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                 0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                               0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                           0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                          0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                      0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                        0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                    0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                          0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                      0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                               0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                           0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                        0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                    0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                           0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                       0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                            0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                        0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                             0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                         0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                           0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                       0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                              0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                          0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                            0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                               00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                           00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                              0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                          0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                             0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                         0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                            0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                        0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                            00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                            00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                        00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                          00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                      00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                      00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                  00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                        0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                    0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                                0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                            0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                      00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                      00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                       00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                 00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                   00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                      00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                      00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                    0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                    0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                             000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                             000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                        000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                        000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                     000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                     000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                         000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                           000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                     000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                     000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                         000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                     000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                 000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                       000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                                       000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                                       000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                           000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                           000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                                     000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                                     000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                                        000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                              000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                                    000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                              000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                                         000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                                     000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                                     000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!closesocket                                                                                000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                             000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                               000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!connect                                                                                    000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!send + 1                                                                                   000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                              000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                          000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                 000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                 000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                   000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                   000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\WindowsMobile\wmdc.exe[4136] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                             000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                                                            0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                                                0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                                                0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                                                          0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                                                     0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                                                   0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                                                     0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                                                          0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                                                   0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                                                      0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                                                       0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                                                        0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                                                      0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                                                         0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                                                           0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                                                          0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                                                         0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                                                        0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                                                       0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                                                           0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                                                       0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                                                     0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                                                 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                                                   0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                                                           0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                                                             0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                                                           0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                                                     0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                                                             0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                                                     00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                                                      00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                                                        00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                                                              00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                                                            00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                                                      00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!WinExec                                                                                             0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                                                   0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                                                   0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                                                        00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                                                        0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                                                           0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                                                       000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                                                000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                                                       000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                                                   000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                                                      00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                                                        00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                                                  00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                                                    00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                                                    00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                                                    00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                                                       00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                                                  00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                                                           00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                                                             00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                                                      00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                                                00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                                                       00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                                                                            000000007734a472 5 bytes JMP 0000000175ba6811
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                                                                            00000000773527ce 5 bytes JMP 0000000175ba1b91
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\msvcrt.dll!__p__environ                                                                                          000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                                                        000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                                                                        0000000077532bf0 5 bytes JMP 0000000175ba3841
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                                                  000000007753369c 5 bytes JMP 0000000175ba3cc1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                                                                 00000000775349e5 5 bytes JMP 0000000175ba68a1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                                                      000000007754712c 5 bytes JMP 0000000175ba3f01
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                                                      0000000077547144 5 bytes JMP 0000000175ba3a81
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                                                                       000000007754715c 5 bytes JMP 0000000175ba3b11
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                                                                00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                                                                00000000775630f8 5 bytes JMP 0000000175ba3c31
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                                                                   0000000077563108 5 bytes JMP 0000000175ba3961
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                                                                   0000000077563118 5 bytes JMP 0000000175ba39f1
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                                                      0000000077563158 5 bytes JMP 0000000175ba3e71
.text     C:\Windows\vVX1000.exe[4264] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                                                                    0000000076280171 5 bytes JMP 0000000175ba4891
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                 00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                 00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                      0000000077931330 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                  0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                          00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                      00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                          0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                      0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                    0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                               0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                           0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                             0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                         0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                               0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                           0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                    0000000077931620 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                             0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                         0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                            0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                 0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                             0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                  0000000077931750 6 bytes [48, B8, 39, EE, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                              0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                            0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                   0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                               0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                     0000000077931800 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                 0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                    00000000779318b0 6 bytes [48, B8, B9, F1, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                   0000000077931c80 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                               0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                  0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                              0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                 0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                             0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                     00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                 00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                 00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                             00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                               00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                           00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                           00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                       00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                             0000000077932aa0 6 bytes [48, B8, F9, EF, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                         0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl                                                                     0000000077932b80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl + 8                                                                 0000000077932b88 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                           00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                           00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                            00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                      00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                        00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                           00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                           00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                         0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                         0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                  000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                  000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                             000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                             000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                          000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                          000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                              000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                          000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                          000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                              000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                          000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                      000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                     000007fefda4287a 2 bytes [50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                            000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 65                                                            000007feffb30761 3 bytes [B8, 79, F3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!IsTextUnicode + 69                                                            000007feffb30765 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!CreateServiceW                                                                000007feffb33b44 12 bytes [48, B8, 79, 67, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!CreateServiceA                                                                000007feffb4b704 12 bytes [48, B8, B9, 65, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigW                                                          000007feffb4b870 12 bytes [48, B8, 39, 5B, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\ADVAPI32.dll!ChangeServiceConfigA                                                          000007feffb4b8dc 12 bytes [48, B8, 79, 59, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!ControlService + 1                                                             000007feffaf642d 11 bytes [B8, F9, 55, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceW                                                                   000007feffaf6484 12 bytes [48, B8, B9, 50, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!CloseServiceHandle + 1                                                         000007feffaf6519 11 bytes [B8, F9, 5C, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!OpenServiceA                                                                   000007feffaf6c34 12 bytes [48, B8, F9, 4E, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!DeleteService + 1                                                              000007feffaf7ab5 11 bytes [B8, B9, 57, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExA + 1                                                          000007feffaf8b01 11 bytes [B8, 79, 52, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\SYSTEM32\sechost.dll!ControlServiceExW + 1                                                          000007feffaf8c39 11 bytes [B8, 39, 54, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\SHELL32.dll!Shell_NotifyIconW + 1                                                          000007fefe6fdcb1 11 bytes [B8, 39, 85, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW                                                         000007fefdb2a480 12 bytes [48, B8, 79, 60, 08, 76, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\urlmon.dll!URLDownloadToFileW + 1                                                          000007fefdb2b3ed 11 bytes [B8, B9, 5E, 08, 76, 00, 00, ...]
.text     C:\Program Files\Windows Sidebar\sidebar.exe[4480] C:\Windows\system32\d3d11.dll!D3D11CreateDeviceAndSwapChain                                                    000007feede700f8 12 bytes [48, B8, 39, 8C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1                                                              00000000779192d1 5 bytes [B8, F9, 63, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 7                                                              00000000779192d7 5 bytes [00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile                                                                                   0000000077931330 6 bytes [48, B8, 39, E7, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile + 8                                                                               0000000077931338 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                       00000000779313a0 6 bytes [48, B8, 79, D0, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtClose + 8                                                                                   00000000779313a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess                                                                       0000000077931470 6 bytes [48, B8, 39, BD, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8                                                                   0000000077931478 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess                                                                                 0000000077931510 6 bytes [48, B8, F9, 32, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8                                                                             0000000077931518 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                                            0000000077931530 6 bytes [48, B8, 39, 1C, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8                                                                        0000000077931538 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection                                                                          0000000077931550 6 bytes [48, B8, F9, 1D, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8                                                                      0000000077931558 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                            0000000077931570 6 bytes [48, B8, 79, BB, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                                        0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                 0000000077931620 6 bytes [48, B8, B9, E3, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8                                                                             0000000077931628 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                                                          0000000077931650 6 bytes [48, B8, 79, 2F, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8                                                                      0000000077931658 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject                                                                             0000000077931670 6 bytes [48, B8, 79, 36, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8                                                                         0000000077931678 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread                                                                              0000000077931700 6 bytes [48, B8, B9, 34, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8                                                                          0000000077931708 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                               0000000077931750 6 bytes [48, B8, F9, E8, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8                                                                           0000000077931758 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx                                                                             0000000077931780 6 bytes [48, B8, 39, 2A, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8                                                                         0000000077931788 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                0000000077931790 6 bytes [48, B8, B9, 26, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8                                                                            0000000077931798 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                  0000000077931800 6 bytes [48, B8, 79, E5, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8                                                                              0000000077931808 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey                                                                                 00000000779318b0 6 bytes [48, B8, 79, EC, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetValueKey + 8                                                                             00000000779318b8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                                                0000000077931c80 6 bytes [48, B8, F9, E1, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8                                                                            0000000077931c88 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess                                                                               0000000077931cd0 6 bytes [48, B8, 79, 28, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8                                                                           0000000077931cd8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                              0000000077931d30 6 bytes [48, B8, F9, 24, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8                                                                          0000000077931d38 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                  00000000779320a0 6 bytes [48, B8, 39, D2, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8                                                                              00000000779320a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError                                                                              00000000779325e0 6 bytes [48, B8, 39, 7E, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8                                                                          00000000779325e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                            00000000779327e0 6 bytes [48, B8, 39, 31, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8                                                                        00000000779327e8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                        00000000779329a0 6 bytes [48, B8, F9, D3, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8                                                                    00000000779329a8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                          0000000077932aa0 6 bytes [48, B8, B9, EA, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8                                                                      0000000077932aa8 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 1                                                                        00000000779a3201 3 bytes [B8, F9, 7F]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\SYSTEM32\ntdll.dll!RtlReportException + 5                                                                        00000000779a3205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!Process32NextW + 1                                                                         00000000777c20f1 11 bytes [B8, B9, CE, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!CreateToolhelp32Snapshot                                                                   00000000777c21e0 12 bytes [48, B8, F9, 39, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!CreateProcessInternalW                                                                     00000000777de750 12 bytes [48, B8, B9, 2D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 1                                                                        00000000777e1e31 3 bytes [B8, 39, E0]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!GetStartupInfoA + 5                                                                        00000000777e1e35 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!ReadConsoleInputW + 1                                                                      0000000077815011 11 bytes [B8, 79, 75, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!ReadConsoleInputA + 1                                                                      0000000077815031 11 bytes [B8, F9, 71, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!ReadConsoleW                                                                               000000007782a560 12 bytes [48, B8, 79, 7C, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\kernel32.dll!ReadConsoleA                                                                               000000007782a670 12 bytes [48, B8, F9, 78, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!CloseHandle + 1                                                                          000007fefda01861 11 bytes [B8, 39, 4D, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!FreeLibrary + 1                                                                          000007fefda02db1 11 bytes [B8, 79, C2, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 1                                                                       000007fefda03461 3 bytes [B8, 39, C4]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!GetProcAddress + 5                                                                       000007fefda03465 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW                                                                           000007fefda08ef0 12 bytes [48, B8, B9, C0, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!CreateMutexW                                                                             000007fefda094c0 12 bytes [48, B8, 79, 4B, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 1                                                                       000007fefda0bfd1 3 bytes [B8, F9, BE]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExA + 5                                                                       000007fefda0bfd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!OpenMutexW + 1                                                                           000007fefda12af1 11 bytes [B8, B9, 49, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory                                                                       000007fefda34350 12 bytes [48, B8, 79, 3D, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 1                                                                   000007fefda42871 8 bytes [B8, 39, 23, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!CreateRemoteThread + 10                                                                  000007fefda4287a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\KERNELBASE.dll!CreateThread + 1                                                                         000007fefda428b1 11 bytes [B8, B9, 3B, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!CreateWindowExA                                                                              00000000776ca2e0 12 bytes [48, B8, 79, A6, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!CallNextHookEx + 1                                                                           00000000776cbae1 11 bytes [B8, B9, 81, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowW + 1                                                                              00000000776cd265 7 bytes [B8, 79, C9, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowW + 9                                                                              00000000776cd26d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx                                                                          00000000776cd440 6 bytes [48, B8, 79, 83, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx + 8                                                                      00000000776cd448 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 1                                                                        00000000776cf875 7 bytes [B8, 79, 21, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowsHookExW + 9                                                                        00000000776cf87d 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!CreateWindowExW                                                                              00000000776d0810 12 bytes [48, B8, B9, A4, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!ShowWindow                                                                                   00000000776d1930 6 bytes [48, B8, 39, A8, 08, 76]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!ShowWindow + 8                                                                               00000000776d1938 4 bytes [00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!PeekMessageA + 1                                                                             00000000776d3a19 3 bytes [B8, B9, 6C]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!PeekMessageA + 5                                                                             00000000776d3a1d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!GetMessageA + 1                                                                              00000000776d6111 11 bytes [B8, 39, 69, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowTextW + 1                                                                           00000000776d7055 3 bytes [B8, B9, B2]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowTextW + 5                                                                           00000000776d7059 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!PeekMessageW + 1                                                                             00000000776d8fd1 3 bytes [B8, 79, 6E]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!PeekMessageW + 5                                                                             00000000776d8fd5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!GetMessageW                                                                                  00000000776d9e74 12 bytes [48, B8, F9, 6A, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 1                                                                  00000000776da2c9 3 bytes [B8, 39, EE]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!UserClientDllInitialize + 5                                                                  00000000776da2cd 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 1                                                               00000000776e4efd 3 bytes [B8, B9, AB]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!DialogBoxIndirectParamAorW + 5                                                               00000000776e4f01 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 1                                                            00000000776e7469 3 bytes [B8, F9, A9]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!CreateDialogIndirectParamAorW + 5                                                            00000000776e746d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowA + 1                                                                              00000000776e8271 7 bytes [B8, F9, C5, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowA + 9                                                                              00000000776e8279 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 1                                                                        00000000776e8c21 8 bytes [B8, B9, 1F, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowsHookExA + 10                                                                       00000000776e8c2a 2 bytes [50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowExW + 1                                                                            00000000776e8d21 7 bytes [B8, 39, CB, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowExW + 9                                                                            00000000776e8d29 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!MessageBoxExA + 1                                                                            0000000077731371 11 bytes [B8, 79, AD, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!MessageBoxExW + 1                                                                            0000000077731395 11 bytes [B8, 39, AF, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowTextA + 1                                                                           000000007773d379 3 bytes [B8, F9, B0]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!SetWindowTextA + 5                                                                           000000007773d37d 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowExA + 1                                                                            000000007773dae1 7 bytes [B8, B9, C7, 08, 76, 00, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\USER32.dll!FindWindowExA + 9                                                                            000000007773dae9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSASend + 1                                                                                  000007feff8713b1 3 bytes [B8, B9, B9]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSASend + 5                                                                                  000007feff8713b5 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!closesocket                                                                                  000007feff8718e0 12 bytes [48, B8, F9, B7, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSASocketW + 1                                                                               000007feff871bd1 11 bytes [B8, 39, B6, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSARecv + 1                                                                                  000007feff872201 3 bytes [B8, B9, DC]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSARecv + 5                                                                                  000007feff872205 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!GetAddrInfoW                                                                                 000007feff8723c0 12 bytes [48, B8, 39, A1, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!connect                                                                                      000007feff8745c0 12 bytes [48, B8, 39, 62, 08, 76, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!send + 1                                                                                     000007feff878001 11 bytes [B8, 79, B4, 08, 76, 00, 00, ...]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!gethostbyname                                                                                000007feff878df0 7 bytes [48, B8, F9, A2, 08, 76, 00]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!gethostbyname + 9                                                                            000007feff878df9 3 bytes [00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!socket + 1                                                                                   000007feff87de91 3 bytes [B8, B9, D5]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!socket + 5                                                                                   000007feff87de95 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!recv + 1                                                                                     000007feff87df41 3 bytes [B8, F9, DA]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!recv + 5                                                                                     000007feff87df45 7 bytes [76, 00, 00, 00, 00, 50, C3]
.text     C:\Windows\system32\svchost.exe[4520] C:\Windows\system32\WS2_32.dll!WSAConnect + 1                                                                               000007feff89e0f1 11 bytes [B8, 39, D9, 08, 76, 00, 00, ...]
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                             0000000077adf8f0 5 bytes JMP 0000000175ba60c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                            0000000077adf928 5 bytes JMP 0000000175ba66f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                          0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                     0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                   0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                     0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                          0000000077adfdc8 5 bytes JMP 0000000175ba6661
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                   0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                      0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                       0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                        0000000077adffa4 5 bytes JMP 0000000175ba6781
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                      0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                         0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                           0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                          0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                         0000000077ae079c 5 bytes JMP 0000000175ba65d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                        0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                       0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                           0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                       0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                     0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                   0000000077ae1d8c 5 bytes JMP 0000000175ba6811
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                           0000000077ae1ee8 5 bytes JMP 0000000175ba6421
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                             0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                           0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                     0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                             0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                     00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                      00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                        00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                              00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                            00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                      00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!WinExec                                                             0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                   0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                   0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                        00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                        0000000075757372 5 bytes JMP 0000000075ba45c1
         

Alt 09.10.2013, 08:09   #14
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 11:

Code:
ATTFilter
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                           0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                       000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                       000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                   000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                      00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                        00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                  00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                    00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                    00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                    00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                       00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                  00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                           00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                             00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                      00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                       00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!GetMessageW                                                           00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!GetMessageA                                                           00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                       00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!FindWindowW                                                           00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                               00000000775db6ed 5 bytes JMP 0000000175ba68a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                       00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!FindWindowA                                                           00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                         00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                          00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!ShowWindow                                                            00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageW                                                          00000000775e12a5 5 bytes JMP 0000000175ba6541
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                        00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!PostMessageA                                                          00000000775e3baa 5 bytes JMP 0000000175ba64b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                          00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                        00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                     00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                        00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                     00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                            00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                   00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                         00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                         00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                         000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                         000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                              00000000771b1465 2 bytes [1B, 77]
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                             00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4996] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                                    0000000076280171 5 bytes JMP 0000000175ba4891
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                             0000000077adf8f0 5 bytes JMP 0000000175ba60c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                            0000000077adf928 5 bytes JMP 0000000175ba66f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                          0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                     0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                   0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                     0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                          0000000077adfdc8 5 bytes JMP 0000000175ba6661
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                   0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                      0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                       0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                        0000000077adffa4 5 bytes JMP 0000000175ba6781
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                      0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                         0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                           0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                          0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                         0000000077ae079c 5 bytes JMP 0000000175ba65d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                        0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                       0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                           0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                       0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                     0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                   0000000077ae1d8c 5 bytes JMP 0000000175ba6811
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                           0000000077ae1ee8 5 bytes JMP 0000000175ba6421
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                             0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                           0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                     0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                             0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                     00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                      00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                        00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                              00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                            00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                      00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!WinExec                                                             0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                   0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                   0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                        00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                        0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                           0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                       000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                       000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                   000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                      00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                        00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                  00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                    00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                    00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                    00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                       00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                  00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                           00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                             00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                      00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                       00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!GetMessageW                                                           00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!GetMessageA                                                           00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                       00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!FindWindowW                                                           00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                               00000000775db6ed 5 bytes JMP 0000000175ba68a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                       00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!FindWindowA                                                           00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                         00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                          00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!ShowWindow                                                            00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!PostMessageW                                                          00000000775e12a5 5 bytes JMP 0000000175ba6541
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                        00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!PostMessageA                                                          00000000775e3baa 5 bytes JMP 0000000175ba64b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                          00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                        00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                     00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                        00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                     00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                            00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                   00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                         00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                         00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                         000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                         000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                              00000000771b1465 2 bytes [1B, 77]
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                             00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Users\Peter\AppData\Local\Akamai\netsession_win.exe[4176] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                                    0000000076280171 5 bytes JMP 0000000175ba4891
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                           0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                               0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                               0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                         0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                    0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                  0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                    0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                         0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                  0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                     0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                      0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                       0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                     0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                        0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                          0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                         0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                        0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                       0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                      0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                          0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                      0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                    0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                  0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                          0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                            0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                          0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                    0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                            0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                    00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                     00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                       00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                             00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                           00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                     00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!WinExec                                                            0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                  0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                  0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                       00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                       0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                          0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                      000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                               000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                      000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                  000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                     00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                       00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                 00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                   00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                   00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                   00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                      00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                 00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                          00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                            00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                     00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                               00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                      00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!GetMessageW                                                          00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!GetMessageA                                                          00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                      00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!FindWindowW                                                          00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                              00000000775db6ed 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                      00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!FindWindowA                                                          00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                        00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                         00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!ShowWindow                                                           00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!PostMessageW                                                         00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                       00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!PostMessageA                                                         00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                         00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                       00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                    00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                       00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                    00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                           00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                  00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                        00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                        00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                        000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                        000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!closesocket                                                          0000000076eb3918 5 bytes JMP 0000000175ba5851
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                                           0000000076eb3cd3 5 bytes JMP 0000000175ba57c1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!socket                                                               0000000076eb3eb8 5 bytes JMP 0000000175ba60c1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!WSASend                                                              0000000076eb4406 5 bytes JMP 0000000175ba20a1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                                         0000000076eb4889 5 bytes JMP 0000000175ba5191
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!recv                                                                 0000000076eb6b0e 5 bytes JMP 0000000175ba6271
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!connect                                                              0000000076eb6bdd 1 byte JMP 0000000175ba3de1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!connect + 2                                                          0000000076eb6bdf 3 bytes {CALL RCX}
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!send                                                                 0000000076eb6f01 5 bytes JMP 0000000175ba2011
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                              0000000076eb7089 5 bytes JMP 0000000175ba6301
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                           0000000076ebcc3f 5 bytes JMP 0000000175ba61e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[5100] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                                        0000000076ec7673 5 bytes JMP 0000000175ba5221
.text     C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                        0000000077931570 6 bytes [48, B8, F0, 12, DE, 02]
.text     C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[4160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8                                                    0000000077931578 4 bytes [00, 00, 50, C3]
.text     C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe[4160] C:\Windows\system32\kernel32.dll!UnhandledExceptionFilter + 1                                           0000000077859301 11 bytes [B8, F0, 12, 00, 03, 00, 00, ...]
.text     C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[1668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                00000000771b1465 2 bytes [1B, 77]
.text     C:\Program Files\Bitdefender\Bitdefender\antispam32\bdapppassmgr.exe[1668] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                               00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtReadFile                                                             0000000077adf8f0 5 bytes JMP 0000000175ba60c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                            0000000077adf928 5 bytes JMP 0000000175ba66f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                                0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                          0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                     0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                   0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                     0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                          0000000077adfdc8 5 bytes JMP 0000000175ba6661
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                   0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                      0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                       0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                        0000000077adffa4 5 bytes JMP 0000000175ba6781
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                      0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                         0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                           0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                          0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                         0000000077ae079c 5 bytes JMP 0000000175ba65d1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                        0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                       0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                           0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                       0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                     0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                 0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                   0000000077ae1d8c 5 bytes JMP 0000000175ba6811
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                           0000000077ae1ee8 5 bytes JMP 0000000175ba6421
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                             0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                           0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                     0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                             0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                     00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                      00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                        00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                              00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                            00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                      00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!WinExec                                                             0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                                   0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                                   0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                        00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                        0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                           0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                       000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                                000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                       000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                                   000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                      00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                        00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                                  00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                                    00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                                    00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                                    00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                       00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                                  00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                           00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                             00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                      00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                                00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                       00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!GetMessageW                                                           00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!GetMessageA                                                           00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                                       00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!FindWindowW                                                           00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                               00000000775db6ed 5 bytes JMP 0000000175ba68a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                                       00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!FindWindowA                                                           00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!FindWindowExA                                                         00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!PeekMessageW                                                          00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!ShowWindow                                                            00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!PostMessageW                                                          00000000775e12a5 5 bytes JMP 0000000175ba6541
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                                        00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!PostMessageA                                                          00000000775e3baa 5 bytes JMP 0000000175ba64b1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!PeekMessageA                                                          00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                                        00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                     00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                                        00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                     00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                                            00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                   00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!FindWindowExW                                                         00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                                         00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                                         000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                                         000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                                            000000007734a472 5 bytes JMP 0000000175ba6931
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                                            00000000773527ce 5 bytes JMP 0000000175ba1b91
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\msvcrt.dll!__p__environ                                                          000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                        000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                                        0000000077532bf0 5 bytes JMP 0000000175ba3841
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                                  000000007753369c 5 bytes JMP 0000000175ba3cc1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                                 00000000775349e5 5 bytes JMP 0000000175ba69c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                      000000007754712c 5 bytes JMP 0000000175ba3f01
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                      0000000077547144 5 bytes JMP 0000000175ba3a81
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                                       000000007754715c 5 bytes JMP 0000000175ba3b11
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                                00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                                00000000775630f8 5 bytes JMP 0000000175ba3c31
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                                   0000000077563108 5 bytes JMP 0000000175ba3961
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                                   0000000077563118 5 bytes JMP 0000000175ba39f1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                      0000000077563158 5 bytes JMP 0000000175ba3e71
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!closesocket                                                           0000000076eb3918 5 bytes JMP 0000000175ba5851
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!WSASocketW                                                            0000000076eb3cd3 5 bytes JMP 0000000175ba57c1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!socket                                                                0000000076eb3eb8 5 bytes JMP 0000000175ba6151
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!WSASend                                                               0000000076eb4406 5 bytes JMP 0000000175ba20a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW                                                          0000000076eb4889 5 bytes JMP 0000000175ba5191
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!recv                                                                  0000000076eb6b0e 5 bytes JMP 0000000175ba6301
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!connect                                                               0000000076eb6bdd 1 byte JMP 0000000175ba3de1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!connect + 2                                                           0000000076eb6bdf 3 bytes {CALL RCX}
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!send                                                                  0000000076eb6f01 5 bytes JMP 0000000175ba2011
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!WSARecv                                                               0000000076eb7089 5 bytes JMP 0000000175ba6391
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!WSAConnect                                                            0000000076ebcc3f 5 bytes JMP 0000000175ba6271
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\WS2_32.dll!gethostbyname                                                         0000000076ec7673 5 bytes JMP 0000000175ba5221
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW                                               00000000755a05f3 5 bytes JMP 0000000075ba3d51
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW                                                    00000000755b2df9 5 bytes JMP 0000000075ba2131
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA                                                    00000000755f4c14 5 bytes JMP 0000000075ba29a1
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69                                              00000000771b1465 2 bytes [1B, 77]
.text     C:\Users\Peter\AppData\Roaming\Dropbox\bin\Dropbox.exe[4376] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155                                             00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                               0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                   0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                   0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                             0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                        0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                      0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                        0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                             0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                      0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                         0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                          0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                           0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                         0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                            0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                              0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                             0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                            0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                           0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                          0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                              0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                          0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                        0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                    0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                      0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                              0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                              0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                        0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                        00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                         00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                           00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                               00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!Process32NextW                                         00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!WinExec                                                0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                      0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                      0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                           00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                           0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                              0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                          000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                   000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                          000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                      000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                         00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                           00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                     00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                       00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                       00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                       00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                          00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                     00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                              00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                         00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                   00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                          00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!GetMessageW                                              00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!GetMessageA                                              00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                          00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!FindWindowW                                              00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                  00000000775db6ed 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                          00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!FindWindowA                                              00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!FindWindowExA                                            00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!PeekMessageW                                             00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!ShowWindow                                               00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!PostMessageW                                             00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                           00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!PostMessageA                                             00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!PeekMessageA                                             00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                           00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                        00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                           00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                        00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                               00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                      00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!FindWindowExW                                            00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                            00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                            000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\Steganos Safe 2012\SteganosHotKeyService.exe[4820] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                            000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                       0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                           0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                           0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                     0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                              0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                     0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                              0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                                 0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                                  0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                   0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                                 0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                    0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                      0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                                     0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                                    0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                                   0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                  0000000077ae08a4 5 bytes JMP 0000000175ba2be1
         

Alt 09.10.2013, 08:11   #15
peter4711
 
Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten - Standard

Windows 7: HomeTab\TBUpdater.dll blockiert Firefox und vernichtet Outlook-Daten



GMER Teil 12:

Code:
ATTFilter
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                      0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                                  0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                            0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                              0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                                      0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                        0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                                      0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                                0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                        0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                                00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                 00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                                   00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                         00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                                       00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!Process32NextW                                                 00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!WinExec                                                        0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                              0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                              0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                                   00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                                   0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                                      0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                                  000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                           000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                                  000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                              000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                                 00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                                   00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                             00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                               00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                               00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                               00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                                  00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                             00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                                      00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                        00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                                 00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                           00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                                  00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                                   000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                                   0000000077532bf0 5 bytes JMP 0000000175ba3841
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                             000000007753369c 5 bytes JMP 0000000175ba3cc1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                            00000000775349e5 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                                 000000007754712c 5 bytes JMP 0000000175ba3f01
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                                 0000000077547144 5 bytes JMP 0000000175ba3a81
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                                  000000007754715c 5 bytes JMP 0000000175ba3b11
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                           00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                           00000000775630f8 5 bytes JMP 0000000175ba3c31
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                              0000000077563108 5 bytes JMP 0000000175ba3961
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                              0000000077563118 5 bytes JMP 0000000175ba39f1
.text     C:\Program Files (x86)\Steganos Safe 2012\fredirstarter.exe[3232] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                                 0000000077563158 5 bytes JMP 0000000175ba3e71
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                               0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                   0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                   0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                             0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                        0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                      0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                        0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                             0000000077adfdc8 5 bytes JMP 0000000175ba65d1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                      0000000077adfe14 5 bytes JMP 0000000175ba2f41
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject                                         0000000077adfe44 5 bytes JMP 0000000175ba3181
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                                          0000000077adff24 5 bytes JMP 0000000175ba30f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                           0000000077adffa4 5 bytes JMP 0000000175ba66f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcessEx                                         0000000077adffec 5 bytes JMP 0000000175ba2d91
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                            0000000077ae0004 5 bytes JMP 0000000175ba2c71
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                              0000000077ae00b4 5 bytes JMP 0000000175ba1e61
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey                                             0000000077ae01c4 5 bytes JMP 0000000175ba2251
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                                            0000000077ae079c 5 bytes JMP 0000000175ba6541
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateProcess                                           0000000077ae0814 5 bytes JMP 0000000175ba2d01
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                          0000000077ae08a4 5 bytes JMP 0000000175ba2be1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                              0000000077ae0df4 5 bytes JMP 0000000175ba5fa1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtRaiseHardError                                          0000000077ae1604 5 bytes JMP 0000000175ba4651
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                        0000000077ae1920 5 bytes JMP 0000000175ba2fd1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                    0000000077ae1be4 5 bytes JMP 0000000175ba6031
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                      0000000077ae1d8c 5 bytes JMP 0000000175ba6781
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!NtVdmControl                                              0000000077ae1ee8 5 bytes JMP 0000000175ba6391
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlQueryPerformanceCounter                                0000000077af88c4 5 bytes JMP 0000000175ba1a71
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParametersEx                              0000000077b20d3b 5 bytes JMP 0000000175ba1f81
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlReportException                                        0000000077b6860f 5 bytes JMP 0000000175ba46e1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\SysWOW64\ntdll.dll!RtlCreateProcessParameters                                0000000077b6e8ab 5 bytes JMP 0000000175ba1ef1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!GetStartupInfoA                                        00000000756b0e00 5 bytes JMP 0000000075ba1d41
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                         00000000756b1072 5 bytes JMP 0000000075ba2911
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!LoadLibraryA                                           00000000756b4977 5 bytes JMP 0000000075ba2521
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW                                 00000000756c3b93 4 bytes JMP 0000000075ba2eb1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!CreateToolhelp32Snapshot                               00000000756d72f7 5 bytes JMP 0000000075ba2641
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!Process32NextW                                         00000000756d8904 5 bytes JMP 0000000075ba5e81
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!WinExec                                                0000000075732c51 5 bytes JMP 0000000075ba27f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputA                                      0000000075756f2b 5 bytes JMP 0000000075ba4261
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!ReadConsoleInputW                                      0000000075756f4e 5 bytes JMP 0000000075ba4381
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!ReadConsoleA                                           00000000757572f9 5 bytes JMP 0000000075ba44a1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\kernel32.dll!ReadConsoleW                                           0000000075757372 5 bytes JMP 0000000075ba45c1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetSystemTimeAsFileTime                              0000000075998f7d 5 bytes JMP 0000000075ba19e1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!CloseHandle                                          000000007599c428 5 bytes JMP 0000000075ba37b1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!WriteProcessMemory                                   000000007599ec98 5 bytes JMP 0000000075ba32a1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!ExitProcess                                          000000007599f1f8 5 bytes JMP 0000000075ba22e1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetStartupInfoW                                      000000007599fa7b 5 bytes JMP 0000000075ba1dd1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!CreateMutexW                                         00000000759a134a 5 bytes JMP 0000000075ba3721
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!OpenMutexW                                           00000000759a1371 5 bytes JMP 0000000075ba3691
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW                                     00000000759a1d1b 5 bytes JMP 0000000075ba1951
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetProcAddress                                       00000000759a1e07 5 bytes JMP 0000000075ba2401
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW                                       00000000759a2aa4 5 bytes JMP 0000000075ba5a91
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExA                                       00000000759a2ccc 5 bytes JMP 0000000075ba5a01
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary                                          00000000759a2d0a 5 bytes JMP 0000000075ba5b21
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleA                                     00000000759a2e6d 5 bytes JMP 0000000075ba18c1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!SleepEx                                              00000000759a3b63 5 bytes JMP 0000000075ba21c1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!Sleep                                                00000000759a4489 5 bytes JMP 0000000075ba2371
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!CreateThread                                         00000000759a45fb 5 bytes JMP 0000000075ba3211
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThread                                   00000000759a4624 5 bytes JMP 0000000075ba2b51
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\KERNELBASE.dll!CreateFileA                                          00000000759ac72c 5 bytes JMP 0000000075ba26d1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\msvcrt.dll!_lock + 41                                               000000007734a472 5 bytes JMP 0000000175ba6811
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\msvcrt.dll!__p__fmode                                               00000000773527ce 5 bytes JMP 0000000175ba1b91
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\msvcrt.dll!__p__environ                                             000000007735e6cf 5 bytes JMP 0000000175ba1b01
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!GetMessageW                                              00000000775d78e2 5 bytes JMP 0000000175ba4021
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!GetMessageA                                              00000000775d7bd3 5 bytes JMP 0000000175ba3f91
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!CreateWindowExW                                          00000000775d8a29 5 bytes JMP 0000000175ba52b1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!FindWindowW                                              00000000775d98fd 5 bytes JMP 0000000175ba5cd1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!UserClientDllInitialize                                  00000000775db6ed 5 bytes JMP 0000000175ba68a1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!CreateWindowExA                                          00000000775dd22e 5 bytes JMP 0000000175ba5341
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!FindWindowA                                              00000000775dffe6 5 bytes JMP 0000000175ba5bb1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!FindWindowExA                                            00000000775e00d9 5 bytes JMP 0000000175ba5c41
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!PeekMessageW                                             00000000775e05ba 5 bytes JMP 0000000175ba4141
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!ShowWindow                                               00000000775e0dfb 5 bytes JMP 0000000175ba53d1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!PostMessageW                                             00000000775e12a5 5 bytes JMP 0000000175ba64b1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!SetWindowTextW                                           00000000775e20ec 5 bytes JMP 0000000175ba5731
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!PostMessageA                                             00000000775e3baa 5 bytes JMP 0000000175ba6421
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!PeekMessageA                                             00000000775e5f74 5 bytes JMP 0000000175ba40b1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!CallNextHookEx                                           00000000775e6285 5 bytes JMP 0000000175ba4771
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                        00000000775e7603 5 bytes JMP 0000000175ba2ac1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!SetWindowTextA                                           00000000775e7aee 5 bytes JMP 0000000175ba56a1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                        00000000775e835c 5 bytes JMP 0000000175ba2a31
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamAorW                               00000000775fce54 5 bytes JMP 0000000175ba54f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                      00000000775ff52b 5 bytes JMP 0000000175ba4801
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!FindWindowExW                                            00000000775ff588 5 bytes JMP 0000000175ba5d61
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamAorW                            00000000776010a0 5 bytes JMP 0000000175ba5461
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!MessageBoxExA                                            000000007762fcd6 5 bytes JMP 0000000175ba5581
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\USER32.dll!MessageBoxExW                                            000000007762fcfa 5 bytes JMP 0000000175ba5611
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceW                                           000000007752ca4c 5 bytes JMP 0000000175ba38d1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!OpenServiceA                                           0000000077532bf0 5 bytes JMP 0000000175ba3841
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!CloseServiceHandle                                     000000007753369c 5 bytes JMP 0000000175ba3cc1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 222                                    00000000775349e5 5 bytes JMP 0000000175ba6931
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceW                                         000000007754712c 5 bytes JMP 0000000175ba3f01
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!ControlService                                         0000000077547144 5 bytes JMP 0000000175ba3a81
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!DeleteService                                          000000007754715c 5 bytes JMP 0000000175ba3b11
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigA                                   00000000775630e8 5 bytes JMP 0000000175ba3ba1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!ChangeServiceConfigW                                   00000000775630f8 5 bytes JMP 0000000175ba3c31
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExA                                      0000000077563108 5 bytes JMP 0000000175ba3961
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!ControlServiceExW                                      0000000077563118 5 bytes JMP 0000000175ba39f1
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\ADVAPI32.dll!CreateServiceA                                         0000000077563158 5 bytes JMP 0000000175ba3e71
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\SHELL32.dll!Shell_NotifyIconW                                       0000000076280171 5 bytes JMP 0000000175ba4891
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                 00000000771b1465 2 bytes [1B, 77]
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                00000000771b14bb 2 bytes [1B, 77]
.text     ...                                                                                                                                                               * 2
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileW                                  00000000755a05f3 5 bytes JMP 0000000075ba3d51
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW                                       00000000755b2df9 5 bytes JMP 0000000075ba2131
.text     C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe[4816] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA                                       00000000755f4c14 5 bytes JMP 0000000075ba29a1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile                                                           0000000077adf928 5 bytes JMP 0000000175ba6661
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                               0000000077adf9e0 5 bytes JMP 0000000175ba5f11
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess                                               0000000077adfb28 5 bytes JMP 0000000175ba5971
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess                                                         0000000077adfc20 5 bytes JMP 0000000175ba3061
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection                                                    0000000077adfc50 5 bytes JMP 0000000175ba15f1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                                                  0000000077adfc80 5 bytes JMP 0000000175ba1681
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                    0000000077adfcb0 5 bytes JMP 0000000175ba58e1
.text     C:\Program Files (x86)\Google\Drive\googledrivesync.exe[1576] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection