Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 19.02.2014, 08:28   #1
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



Nach dem Einschalten des Laptops am 17.02.204 erschien immer wieder nur noch ein Bluescreen.
Ich habe nach einigen Reparaturversuchen eine Systemwiederherstellung mittels Windows7-DVD durchgeführt.
Nach der Wiederherstellung konnte ich Windows7 wieder starten und mich sowohl als User als auch als Admin anmelden.

Ich wollte dann sicherheitshalber als Admin (Chef) einen Virenscan über alle Dateien durchführen, dies liess sich aber nicht einstellen. Es erschien eine Fehlermeldung "Zugriff verweigert", obwohl ich die Konfiguration als administrativer User durchführte.

Ein normaler Scan zeigte keine Funde.

Anschließend hebe ich Logs gemäß der Beschreibung mit Defogger, FRST und GMER erstellt.

Defogger disable.txt:
Code:
ATTFilter
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 21:41 on 18/02/2014 (chef)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-
         
FRST.txt, Addition.txt, Gmer.txt und AVSCAN-20140218-233451-09BAF2F2.LOG im Anhang, da zu groß.

Vielen Dank für Eure Unterstützung

Gruss Regina

Alt 19.02.2014, 09:30   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 19.02.2014, 10:28   #3
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



Hallo Schrauber,
ich hatte die Logs alle schon im Thread, wurde dann aber (automatisch?) aufs zippen verwiesen. Also nochmal...

FRST.txt:

FRST Logfile:

FRST Logfile:

FRST Logfile:
Code:
ATTFilter
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-02-2014
Ran by chef (administrator) on LAPTOP-R on 18-02-2014 21:48:19
Running from E:\
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: German Standard
Internet Explorer Version 9
Boot Mode: Normal



==================== Processes (Whitelisted) =================

(Lenovo.) C:\Windows\System32\TpShocks.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe
(Elaborate Bytes AG) C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(PC Tools) C:\Program Files\ThreatFire\TFTray.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
(shbox.de) C:\Program Files\FreePDF_XP\fpassist.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Uwe Sieber - www.uwe-sieber.de) C:\Tools\USBDLM\USBDLM_usr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
() E:\Defogger.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [X]
HKLM\...\Run: [TpShocks] - C:\Windows\system32\TpShocks.exe [337256 2009-12-11] (Lenovo.)
HKLM\...\Run: [AcWin7Hlpr] - C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe [36864 2009-10-13] ()
HKLM\...\Run: [TPHOTKEY] - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [68976 2009-03-13] (Lenovo Group Limited)
HKLM\...\Run: [LENOVO.TPFNF6R] - C:\Program Files\Lenovo\HOTKEY\TPFNF6R.exe [62752 2009-08-20] (Lenovo Group Limited)
HKLM\...\Run: [VirtualCloneDrive] - C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKLM\...\Run: [ThreatFire] - C:\Program Files\ThreatFire\TFTray.exe [378128 2011-02-22] (PC Tools)
HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cfp.exe [6756048 2012-11-08] (COMODO)
HKLM\...\Run: [FreePDF Assistant] - C:\Program Files\FreePDF_XP\fpassist.exe [371200 2011-02-23] (shbox.de)
HKLM\...\Run: [BMMGAG] - C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL [110592 2005-04-20] (IBM Corp.)
HKLM\...\Run: [BMMLREF] - C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE [20480 2005-04-20] ()
HKLM\...\Run: [BMMMONWND] - C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL [396288 2005-04-20] ()
HKLM\...\Run: [BLOG] - C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL [208896 2005-04-20] ()
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2379504 2013-04-24] (Synaptics Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\RunServices: [Atheros Configuration Service] - C:\Windows\syst
AppInit_DLLs: C:\Windows\system32\guard32.dll => C:\Windows\system32\guard32.dll [301264 2012-11-08] (COMODO)
Lsa: [Notification Packages] scecli ACGina
Startup: C:\Users\gini\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Sunbird.lnk
ShortcutTarget: Mozilla Sunbird.lnk -> C:\Program Files\Mozilla Sunbird\sunbird.exe (Mozilla)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.57.1

========================== Services (Whitelisted) =================

R2 AcPrfMgrSvc; C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe [124264 2009-12-11] (Lenovo)
R2 AcSvc; C:\Program Files\Lenovo\Access Connections\AcSvc.exe [255336 2009-12-11] (Lenovo)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [1990464 2012-11-08] (COMODO)
S2 LENOVO.MICMUTE; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [45424 2009-07-03] (Lenovo Group Limited)
S3 Sony PC Companion; C:\Program Files\Sony\Sony PC Companion\PCCService.exe [155824 2013-02-04] (Avanquest Software)
R2 ThreatFire; C:\Program Files\ThreatFire\TFService.exe [70928 2011-02-22] (PC Tools)
R2 USBDLM; C:\Tools\USBDLM\USBDLM.exe [337888 2012-01-15] (Uwe Sieber - www.uwe-sieber.de)
S2 AntiVirWebService; "C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE" [X]

==================== Drivers (Whitelisted) ====================

S3 AR5416; C:\Windows\System32\DRIVERS\athw.sys [1347168 2009-04-03] (Atheros Communications, Inc.)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [494416 2012-11-08] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [36072 2012-11-08] (COMODO)
R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [31088 2010-12-16] (Elaborate Bytes AG)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [82952 2012-11-08] (COMODO)
S3 MHIKEY10; C:\Windows\System32\Drivers\MHIKEY10.sys [52096 2010-10-01] (Generic USB smartcard reader)
S3 MSIRCOMM; C:\Windows\System32\DRIVERS\MSIRCOMM.sys [24064 2009-07-14] (Microsoft Corporation)
R3 sxuptp; C:\Windows\System32\DRIVERS\sxuptp.sys [246808 2008-09-12] (silex technology, Inc.)
R0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [51984 2011-02-22] (PC Tools)
R3 TfNetMon; C:\Windows\system32\drivers\TfNetMon.sys [33552 2011-02-22] (PC Tools)
R0 TfSysMon; C:\Windows\System32\drivers\TfSysMon.sys [69392 2011-02-22] (PC Tools)
R1 TPPWR; C:\Windows\System32\drivers\Tppwr.sys [16384 2005-04-20] (IBM Corp.)
R3 VSTHWICH; C:\Windows\System32\DRIVERS\VSTICH3.SYS [242176 2009-07-13] (Conexant Systems, Inc.)
R3 WSIMD; C:\Windows\System32\DRIVERS\wsimd.sys [57408 2008-02-08] (Atheros Communications, Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-02-18 21:45 - 2014-02-18 21:48 - 00000000 ____D () C:\FRST
2014-02-18 21:41 - 2014-02-18 21:41 - 00000000 _____ () C:\Users\chef\defogger_reenable
2014-02-18 21:35 - 2014-02-18 21:35 - 00000326 _____ () C:\Windows\PFRO.log
2014-02-18 21:26 - 2014-02-18 21:29 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-02-17 21:40 - 2014-02-17 21:41 - 00137160 _____ () C:\Windows\Minidump\021714-31274-01.dmp
2014-02-15 11:28 - 2014-02-15 11:29 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-13 23:36 - 2014-02-13 23:37 - 00137160 _____ () C:\Windows\Minidump\021314-43332-01.dmp
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Roaming\Thunderbird
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Local\Thunderbird
2014-02-13 20:41 - 2014-02-05 09:58 - 12345344 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-13 20:41 - 2014-02-05 09:56 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-13 20:41 - 2014-02-05 09:53 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-13 20:41 - 2014-02-05 09:51 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-13 20:41 - 2014-02-05 09:50 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-13 20:41 - 2014-02-05 09:49 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-13 20:41 - 2014-02-05 09:49 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-13 20:41 - 2014-02-05 09:48 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-13 20:41 - 2014-02-05 09:48 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-13 20:41 - 2014-02-05 09:47 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-13 20:41 - 2014-02-05 09:47 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-13 20:41 - 2014-02-05 09:47 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-13 20:41 - 2014-02-05 09:46 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-13 20:29 - 2014-01-01 00:05 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-02-13 20:29 - 2013-12-06 03:02 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-02-13 20:29 - 2013-12-06 03:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-02-13 20:29 - 2013-11-27 00:29 - 05693440 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-02-13 20:26 - 2013-12-25 00:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-02-13 20:26 - 2013-11-26 09:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-02-13 20:21 - 2013-12-04 03:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-02-13 20:21 - 2013-12-04 03:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-02-13 20:21 - 2013-12-04 02:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-02-13 20:21 - 2013-12-04 02:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-01-21 21:30 - 2014-02-18 21:35 - 00005545 _____ () C:\Windows\setupact.log
2014-01-21 21:30 - 2014-01-21 21:30 - 00000000 _____ () C:\Windows\setuperr.log

==================== One Month Modified Files and Folders =======

2014-02-18 21:48 - 2014-02-18 21:45 - 00000000 ____D () C:\FRST
2014-02-18 21:47 - 2012-10-10 18:53 - 00000000 ____D () C:\Program Files\ThreatFire
2014-02-18 21:44 - 2012-09-29 21:15 - 01306572 _____ () C:\Windows\WindowsUpdate.log
2014-02-18 21:43 - 2009-07-14 05:34 - 00031872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-18 21:43 - 2009-07-14 05:34 - 00031872 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-18 21:41 - 2014-02-18 21:41 - 00000000 _____ () C:\Users\chef\defogger_reenable
2014-02-18 21:41 - 2012-09-29 21:42 - 00000000 ____D () C:\Users\chef
2014-02-18 21:35 - 2014-02-18 21:35 - 00000326 _____ () C:\Windows\PFRO.log
2014-02-18 21:35 - 2014-01-21 21:30 - 00005545 _____ () C:\Windows\setupact.log
2014-02-18 21:35 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-18 21:29 - 2014-02-18 21:26 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-02-18 21:28 - 2013-08-25 17:51 - 00000000 ____D () C:\ProgramData\Avira
2014-02-18 19:48 - 2012-11-08 22:51 - 00000444 _____ () C:\Windows\Tasks\BMMTask.job
2014-02-18 16:24 - 2010-11-20 22:01 - 01619700 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-17 21:58 - 2013-02-20 20:08 - 00000000 ____D () C:\Users\gini
2014-02-17 21:41 - 2014-02-17 21:40 - 00137160 _____ () C:\Windows\Minidump\021714-31274-01.dmp
2014-02-17 21:40 - 2014-01-07 11:44 - 00000000 ____D () C:\Windows\Minidump
2014-02-17 21:39 - 2013-02-20 19:36 - 00000000 ____D () C:\Users\ekki
2014-02-17 21:39 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-02-17 21:39 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\registration
2014-02-16 12:20 - 2013-08-20 09:17 - 00000000 ____D () C:\Users\gini\AppData\Roaming\Audacity
2014-02-16 12:18 - 2012-10-09 21:38 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-02-15 11:29 - 2014-02-15 11:28 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-02-14 23:36 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-02-14 00:10 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\rescache
2014-02-13 23:37 - 2014-02-13 23:36 - 00137160 _____ () C:\Windows\Minidump\021314-43332-01.dmp
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Roaming\Thunderbird
2014-02-13 22:48 - 2014-02-13 22:48 - 00000000 ____D () C:\Users\ekki\AppData\Local\Thunderbird
2014-02-13 22:31 - 2012-10-08 20:52 - 00000000 ____D () C:\Users\chef\.mucommander
2014-02-13 22:28 - 2012-12-18 22:57 - 00000947 _____ () C:\Users\Public\Desktop\Mp3tag.lnk
2014-02-13 22:28 - 2012-12-18 22:57 - 00000000 ____D () C:\Program Files\Mp3tag
2014-02-13 22:26 - 2012-12-18 22:58 - 00000000 ____D () C:\Users\chef\AppData\Roaming\Mp3tag
2014-02-13 21:57 - 2013-12-18 22:27 - 00001034 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2014-02-13 21:34 - 2012-10-10 21:00 - 00000000 ____D () C:\Users\chef\AppData\Roaming\Audacity
2014-02-13 21:24 - 2013-06-12 22:16 - 00000000 ____D () C:\Users\chef\AppData\Local\Adobe
2014-02-13 21:24 - 2012-10-09 21:46 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-02-13 21:24 - 2012-10-09 21:46 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-02-13 21:18 - 2013-11-14 22:46 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-02-13 20:58 - 2013-07-15 17:50 - 00000000 ____D () C:\Windows\system32\MRT
2014-02-13 20:49 - 2012-10-10 22:44 - 85946576 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-02-13 20:31 - 2009-07-14 03:37 - 00000000 ____D () C:\Windows\system32\de-DE
2014-02-13 00:10 - 2013-05-18 14:15 - 00000000 ____D () C:\Users\gini\AppData\Roaming\BOM
2014-02-10 23:22 - 2013-03-28 22:29 - 00000000 ____D () C:\Users\gini\AppData\Local\FreePDF_XP
2014-02-05 09:58 - 2014-02-13 20:41 - 12345344 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-02-05 09:56 - 2014-02-13 20:41 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-02-05 09:53 - 2014-02-13 20:41 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-02-05 09:51 - 2014-02-13 20:41 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-02-05 09:50 - 2014-02-13 20:41 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-02-05 09:49 - 2014-02-13 20:41 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-02-05 09:49 - 2014-02-13 20:41 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-02-05 09:48 - 2014-02-13 20:41 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-02-05 09:48 - 2014-02-13 20:41 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-02-05 09:47 - 2014-02-13 20:41 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-02-05 09:47 - 2014-02-13 20:41 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-02-05 09:47 - 2014-02-13 20:41 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-02-05 09:46 - 2014-02-13 20:41 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-02-04 23:42 - 2013-03-06 19:52 - 00000000 ____D () C:\Users\gini\AppData\Roaming\vlc
2014-02-01 22:05 - 2009-07-14 05:53 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-24 21:57 - 2013-04-04 10:20 - 00000000 ____D () C:\Users\gini\.mucommander
2014-01-22 22:37 - 2013-06-10 14:23 - 00000000 ____D () C:\CardReader
2014-01-21 21:30 - 2014-01-21 21:30 - 00000000 _____ () C:\Windows\setuperr.log
2014-01-20 21:26 - 2012-09-29 22:10 - 00000000 ____D () C:\Windows\Panther

Some content of TEMP:
====================
C:\Users\ekki\AppData\Local\Temp\AskSLib.dll
C:\Users\ekki\AppData\Local\Temp\avgnt.exe
C:\Users\ekki\AppData\Local\Temp\Checkupdate.exe
C:\Users\ekki\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\ekki\AppData\Local\Temp\gcapi_dll.dll
C:\Users\ekki\AppData\Local\Temp\gtapi_signed.dll
C:\Users\gini\AppData\Local\Temp\AskSLib.dll
C:\Users\gini\AppData\Local\Temp\avgnt.exe
C:\Users\gini\AppData\Local\Temp\Checkupdate.exe
C:\Users\gini\AppData\Local\Temp\ecrinwd1.dll
C:\Users\gini\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\gini\AppData\Local\Temp\Foxit Updater.exe
C:\Users\gini\AppData\Local\Temp\gcapi_dll.dll
C:\Users\gini\AppData\Local\Temp\gtapi_signed.dll
C:\Users\gini\AppData\Local\Temp\jna5314436778881323239.dll
C:\Users\gini\AppData\Local\Temp\jna6319985011786942891.dll
C:\Users\gini\AppData\Local\Temp\jna67619801806900368.dll
C:\Users\gini\AppData\Local\Temp\jna6885078733716915831.dll
C:\Users\gini\AppData\Local\Temp\jna8462753187460255465.dll
C:\Users\gini\AppData\Local\Temp\Nokia_Suite_PCS_update.exe
C:\Users\chef\AppData\Local\Temp\avgnt.exe
C:\Users\chef\AppData\Local\Temp\Checkupdate.exe
C:\Users\chef\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\chef\AppData\Local\Temp\gcapi_dll.dll
C:\Users\chef\AppData\Local\Temp\gtapi_signed.dll
C:\Users\chef\AppData\Local\Temp\jna2717950152216819154.dll
C:\Users\chef\AppData\Local\Temp\jna928355162319514545.dll
C:\Users\chef\AppData\Local\Temp\PicasaUpdater_3221.exe
C:\Users\chef\AppData\Local\Temp\vlc-2.1.3-win32.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-02-18 16:44

==================== End Of Log ============================
         
--- --- ---

--- --- ---

--- --- ---


und Addition.txt:

FRST Additions Logfile:
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-02-2014
Ran by chef at 2014-02-18 21:51:16
Running from E:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: COMODO Defense+ (Enabled - Up to date) {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall (Enabled) {7DB03214-694B-060B-1600-BD4715C36DBB}

==================== Installed Programs ======================

7-Zip 9.20 (Version:  - )
Adobe Flash Player 11 ActiveX (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (Version: 12.0.0.44 - Adobe Systems Incorporated)
Anzeige am Bildschirm (Version: 5.32.00 - )
Audacity 2.0.5 (Version: 2.0.5 - Audacity Team)
Biet-O-Matic v2.14.12 (Version: 2.14.12 - BOM Development Team)
CDex - Open Source Digital Audio CD Extractor (Version: 1.70.4.2009 - Georgy Berdyshev)
Citrix Authentication Manager (Version: 5.0.0.60597 - Citrix Systems, Inc.) Hidden
Citrix Receiver (DV) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (HDX Flash-Umleitung) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (USB) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
Citrix Receiver (Version: 14.0.0.91 - Citrix Systems, Inc.)
Citrix Receiver Inside (Version: 3.4.0.45902 - Citrix Systems, Inc.) Hidden
Citrix Receiver Updater (Version: 4.0.0.45893 - Citrix Systems, Inc.) Hidden
Citrix Receiver(Aero) (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
CloudReading (Version: 1.0.27.1025 - Foxit Corporation)
COMODO Internet Security (Version: 5.10.31649.2253 - COMODO Security Solutions Inc.)
Dienstprogramm "ThinkPad UltraNav" (Version: 2.13.0 - Lenovo)
ElsterFormular (Version: 14.4.12044 - Landesfinanzdirektion Thüringen)
ElsterFormular 2008/2009 (Version: 10.3.2.0 - Steuerverwaltung des Bundes und der Länder)
Foxit Reader (Version: 6.1.1.1031 - Foxit Corporation)
FreePDF (Remove only) (Version:  - )
GPL Ghostscript (Version: 9.06 - Artifex Software Inc.)
IBM ThinkPad Battery MaxiMiser and Power Management Features (Version: 1.38 - )
Java 7 Update 51 (Version: 7.0.510 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
LAME v3.99.3 (for Windows) (Version:  - )
Lenovo Power Management Driver (Version: 1.67.04.04 - )
Microsoft .NET Framework 4.5.1 (DEU) (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 de) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (Version: 27.0.1 - Mozilla)
Mozilla Thunderbird 24.3.0 (x86 de) (Version: 24.3.0 - Mozilla)
Mp3tag v2.58 (Version: v2.58 - Florian Heidenreich)
MSVC90_x86 (Version: 1.0.1.2 - Nokia) Hidden
muCommander (remove only) (Version:  - )
MyPhoneExplorer (Version: 1.8.5 - F.J. Wechselberger)
Nokia Connectivity Cable Driver (Version: 7.1.78.0 - Nokia)
Nokia PC Suite (Version: 7.1.180.94 - Nokia)
Nokia PC Suite (Version: 7.1.180.94 - Nokia) Hidden
Online Plug-in (Version: 14.0.0.91 - Citrix Systems, Inc.) Hidden
OpenOffice 4.0.1 (Version: 4.01.9714 - Apache Software Foundation)
PC Connectivity Solution (Version: 12.0.27.0 - Nokia)
Picasa 3 (Version: 3.9 - Google, Inc.)
RedMon - Redirection Port Monitor (Version:  - )
Self-Service Plug-in (Version: 4.0.0.40674 - Citrix Systems, Inc.) Hidden
Sony PC Companion 2.10.165 (Version: 2.10.165 - Sony)
StreamTransport version: 1.0.2.2171 (Version:  - )
SX Virtual Link (Version: 3.1.0 - silex technology, Inc.)
TeamViewer 9 (Version: 9.0.24482 - TeamViewer)
ThinkPad 11a/b/g/n Wireless LAN Mini-PCI Express Adapter (Version: 7.6.1.260b - )
ThinkPad FullScreen Magnifier (Version: 2.10 - )
ThinkPad UltraNav Driver (Version: 16.2.19.7 - )
ThinkVantage Access Connections (Version: 5.50 - Lenovo)
ThinkVantage System für aktiven Festplattenschutz (Version: 1.71 - Lenovo)
ThreatFire (Version:  - PC Tools)
TightVNC (Version: 2.6.4.0 - GlavSoft LLC.)
VirtualCloneDrive (Version:  - Elaborate Bytes)
VLC media player 2.1.3 (Version: 2.1.3 - VideoLAN)
Windows-Treiberpaket - Nokia Modem  (02/25/2011 4.7) (Version: 02/25/2011 4.7 - Nokia)
Windows-Treiberpaket - Nokia Modem  (02/25/2011 7.01.0.9) (Version: 02/25/2011 7.01.0.9 - Nokia)
Windows-Treiberpaket - Nokia pccsmcfd “LegacyDriver”  (05/31/2012 7.1.2.0) (Version: 05/31/2012 7.1.2.0 - Nokia)

==================== Restore Points  =========================


==================== Hosts content: ==========================

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {32D1AD87-3DC3-4E32-9645-92358F3C7622} - System32\Tasks\BMMTask => C:\Program Files\ThinkPad\Utilities\BMMTASK.EXE [2005-04-20] ()
Task: {C9D6BC11-0F9A-48D0-8040-6D8716480C4E} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: C:\Windows\Tasks\BMMTask.job => C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE

==================== Loaded Modules (whitelisted) =============

2009-12-11 10:58 - 2009-12-11 10:58 - 00655360 _____ () C:\Program Files\Lenovo\Access Connections\ACDeskBand.dll
2012-11-08 22:51 - 2005-04-20 00:38 - 00396288 _____ () C:\Program Files\ThinkPad\Utilities\BATINFEX.DLL

==================== Safe Mode (whitelisted) ===================


==================== Disabled items from MSCONFIG ==============

MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: TeamViewer8 => 2
MSCONFIG\startupreg: CitrixReceiver => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
MSCONFIG\startupreg: Redirector => "C:\Program Files\Citrix\ICA Client\redirector.exe" /startup

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/18/2014 09:36:07 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/18/2014 04:49:41 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/18/2014 04:47:00 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Die abhängige Assemblierung "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/18/2014 04:44:18 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.

Error: (02/18/2014 04:00:20 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/17/2014 10:21:28 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Die abhängige Assemblierung "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/17/2014 10:18:53 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Die abhängige Assemblierung "Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (02/17/2014 10:16:31 PM) (Source: SideBySide) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "1". Fehler in Manifest- oder Richtliniendatei "2" in Zeile 3.
Ungültige XML-Syntax.

Error: (02/17/2014 09:50:55 PM) (Source: Windows Backup) (User: )
Description: Die Sicherung wurde aufgrund eines Fehlers beim Schreiben am Sicherungsspeicherort "\\DESKTOP-S\_Dasi\Laptop-R\" nicht abgeschlossen. Fehler: "Zum Speichern von Dateien an einer Netzwerkadresse benötigen Sie für diesen Pfad die Berechtigungsstufe "Vollzugriff". (0x8100002A)"

Error: (02/17/2014 09:42:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (02/18/2014 09:35:50 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Avira Browser-Schutz" ist von folgendem Dienst abhängig: AntiVirService. Dieser Dienst ist eventuell nicht installiert.

Error: (02/18/2014 06:52:26 PM) (Source: Service Control Manager) (User: )
Description: Der Dienst "Avira Browser-Schutz" wurde mit folgendem dienstspezifischem Fehler beendet: %%4.

Error: (02/18/2014 06:16:29 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (02/17/2014 10:15:34 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (02/17/2014 09:41:08 PM) (Source: BugCheck) (User: )
Description: 0x0000000a (0x00000016, 0x00000002, 0x00000000, 0x82c6ecda)C:\Windows\MEMORY.DMP021714-31274-01

Error: (02/15/2014 11:11:17 PM) (Source: volsnap) (User: )
Description: Die Schattenkopien von Volume "C:" wurden abgebrochen, weil der Schattenkopiespeicher nicht auf ein benutzerdefiniertes Limit vergrößert werden konnte.

Error: (02/13/2014 11:44:36 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Verbindungsversuch mit dem Dienst Microsoft .NET Framework NGEN v4.0.30319_X86 erreicht.

Error: (02/13/2014 11:42:38 PM) (Source: Service Control Manager) (User: )
Description: Das Zeitlimit (30000 ms) wurde beim Warten auf eine Transaktionsrückmeldung von Dienst lmhosts erreicht.

Error: (02/13/2014 11:37:09 PM) (Source: BugCheck) (User: )
Description: 0x0000000a (0x00000016, 0x00000002, 0x00000000, 0x82c6dcda)C:\Windows\MEMORY.DMP021314-43332-01

Error: (02/13/2014 11:36:13 PM) (Source: EventLog) (User: )
Description: Das System wurde zuvor am ‎13.‎02.‎2014 um 23:30:45 unerwartet heruntergefahren.


Microsoft Office Sessions:
=========================
Error: (02/18/2014 09:36:07 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/18/2014 04:49:41 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Sony\sony pc companion\Drivers\DPInst64.exe

Error: (02/18/2014 04:47:00 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Nokia\Nokia PC Suite 7\TIS_Windows7PIM.dll

Error: (02/18/2014 04:44:18 PM) (Source: SideBySide)(User: )
Description: C:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dllC:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dll0

Error: (02/18/2014 04:00:20 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/17/2014 10:21:28 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"c:\program files\Sony\sony pc companion\Drivers\DPInst64.exe

Error: (02/17/2014 10:18:53 PM) (Source: SideBySide)(User: )
Description: Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"C:\Program Files\Nokia\Nokia PC Suite 7\TIS_Windows7PIM.dll

Error: (02/17/2014 10:16:31 PM) (Source: SideBySide)(User: )
Description: C:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dllC:\Program Files\Lenovo\Access Connections\AcCryptHlpr.dll0

Error: (02/17/2014 09:50:55 PM) (Source: Windows Backup)(User: )
Description: \\DESKTOP-S\_Dasi\Laptop-R\Zum Speichern von Dateien an einer Netzwerkadresse benötigen Sie für diesen Pfad die Berechtigungsstufe "Vollzugriff". (0x8100002A)

Error: (02/17/2014 09:42:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-02-18 21:21:41.306
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-18 21:07:26.277
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-18 18:52:38.556
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-18 17:48:06.245
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-18 16:22:45.561
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-17 22:26:37.693
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-17 22:01:03.870
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-16 21:43:42.688
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-16 12:13:56.537
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2014-02-14 00:48:49.117
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume2\Program Files\ThreatFire\TFWAH.dll" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info =========================== 

Percentage of memory in use: 70%
Total physical RAM: 1022.99 MB
Available physical RAM: 301.62 MB
Total Pagefile: 2046.99 MB
Available Pagefile: 1124.23 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.47 MB

==================== Drives ================================

Drive c: (LAPTOP-R_C) (Fixed) (Total:29.2 GB) (Free:6.25 GB) NTFS
Drive d: (LAPTOP-R_D) (Fixed) (Total:53.19 GB) (Free:26.03 GB) NTFS
Drive e: () (Removable) (Total:3.85 GB) (Free:3.32 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 112 GB) (Disk ID: 89D80A4B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=29 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=53 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 4 GB) (Disk ID: A7D7004D)
Partition 1: (Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================
         
--- --- ---


weiteres folgt...

und weiter:

AVSCAN-20140218-233451-09BAF2F2.LOG:

Code:
ATTFilter

Avira Free Antivirus
Erstellungsdatum der Reportdatei: Dienstag, 18. Februar 2014  23:35


Das Programm läuft als uneingeschränkte Vollversion.
Online-Dienste stehen zur Verfügung.

Lizenznehmer   : Avira Antivirus Free
Seriennummer   : 0000149996-AVHOE-0000001
Plattform      : Windows 7 Professional
Windowsversion : (Service Pack 1)  [6.1.7601]
Boot Modus     : Normal gebootet
Benutzername   : SYSTEM
Computername   : LAPTOP-R

Versionsinformationen:
BUILD.DAT      : 14.0.3.338     56624 Bytes  14.02.2014 11:00:00
AVSCAN.EXE     : 14.0.3.332   1058384 Bytes  14.02.2014 10:00:47
AVSCANRC.DLL   : 14.0.2.180     62008 Bytes  14.02.2014 10:00:47
LUKE.DLL       : 14.0.3.336     65616 Bytes  14.02.2014 10:00:49
AVSCPLR.DLL    : 14.0.3.336    124496 Bytes  14.02.2014 10:00:47
AVREG.DLL      : 14.0.3.336    250448 Bytes  14.02.2014 10:00:47
avlode.dll     : 14.0.3.336    544848 Bytes  14.02.2014 10:00:47
avlode.rdf     : 14.0.3.26      58589 Bytes  18.02.2014 21:38:41
VBASE000.VDF   : 7.11.70.0   66736640 Bytes  04.04.2013 10:00:51
VBASE001.VDF   : 7.11.74.226  2201600 Bytes  30.04.2013 10:00:51
VBASE002.VDF   : 7.11.80.60   2751488 Bytes  28.05.2013 10:00:51
VBASE003.VDF   : 7.11.85.214  2162688 Bytes  21.06.2013 10:00:51
VBASE004.VDF   : 7.11.91.176  3903488 Bytes  23.07.2013 10:00:51
VBASE005.VDF   : 7.11.98.186  6822912 Bytes  29.08.2013 10:00:51
VBASE006.VDF   : 7.11.103.230  2293248 Bytes  24.09.2013 10:00:51
VBASE007.VDF   : 7.11.116.38  5485568 Bytes  28.11.2013 10:00:51
VBASE008.VDF   : 7.11.126.50  3615744 Bytes  22.01.2014 10:00:51
VBASE009.VDF   : 7.11.128.174  2030080 Bytes  03.02.2014 10:00:51
VBASE010.VDF   : 7.11.128.175     2048 Bytes  03.02.2014 10:00:51
VBASE011.VDF   : 7.11.128.176     2048 Bytes  03.02.2014 10:00:51
VBASE012.VDF   : 7.11.128.177     2048 Bytes  03.02.2014 10:00:51
VBASE013.VDF   : 7.11.128.178     2048 Bytes  03.02.2014 10:00:51
VBASE014.VDF   : 7.11.129.9    211456 Bytes  04.02.2014 10:00:51
VBASE015.VDF   : 7.11.129.163   215040 Bytes  06.02.2014 10:00:51
VBASE016.VDF   : 7.11.130.21   220672 Bytes  08.02.2014 10:00:51
VBASE017.VDF   : 7.11.130.99   230400 Bytes  10.02.2014 10:00:51
VBASE018.VDF   : 7.11.130.193   195072 Bytes  11.02.2014 10:00:51
VBASE019.VDF   : 7.11.131.53   285184 Bytes  13.02.2014 10:00:51
VBASE020.VDF   : 7.11.131.125   154624 Bytes  14.02.2014 21:38:38
VBASE021.VDF   : 7.11.131.201   194560 Bytes  15.02.2014 21:38:38
VBASE022.VDF   : 7.11.132.11   233472 Bytes  17.02.2014 21:38:39
VBASE023.VDF   : 7.11.132.80   415232 Bytes  18.02.2014 21:38:40
VBASE024.VDF   : 7.11.132.81     2048 Bytes  18.02.2014 21:38:40
VBASE025.VDF   : 7.11.132.82     2048 Bytes  18.02.2014 21:38:40
VBASE026.VDF   : 7.11.132.83     2048 Bytes  18.02.2014 21:38:40
VBASE027.VDF   : 7.11.132.84     2048 Bytes  18.02.2014 21:38:40
VBASE028.VDF   : 7.11.132.85     2048 Bytes  18.02.2014 21:38:40
VBASE029.VDF   : 7.11.132.86     2048 Bytes  18.02.2014 21:38:40
VBASE030.VDF   : 7.11.132.87     2048 Bytes  18.02.2014 21:38:40
VBASE031.VDF   : 7.11.132.128   108544 Bytes  18.02.2014 21:38:40
Engineversion  : 8.2.14.12 
AEVDF.DLL      : 8.1.3.4       102774 Bytes  14.02.2014 10:00:46
AESCRIPT.DLL   : 8.1.4.190     516478 Bytes  14.02.2014 10:00:46
AESCN.DLL      : 8.1.10.6      131447 Bytes  14.02.2014 10:00:46
AESBX.DLL      : 8.2.20.6     1331575 Bytes  14.02.2014 10:00:46
AERDL.DLL      : 8.2.0.138     704888 Bytes  14.02.2014 10:00:46
AEPACK.DLL     : 8.4.0.0       774520 Bytes  14.02.2014 10:00:46
AEOFFICE.DLL   : 8.1.2.82      205181 Bytes  18.02.2014 21:38:41
AEHEUR.DLL     : 8.1.4.918    6484346 Bytes  14.02.2014 10:00:46
AEHELP.DLL     : 8.1.27.10     266618 Bytes  14.02.2014 10:00:46
AEGEN.DLL      : 8.1.7.22      446839 Bytes  14.02.2014 10:00:46
AEEXP.DLL      : 8.4.1.204     434552 Bytes  14.02.2014 10:00:46
AEEMU.DLL      : 8.1.3.2       393587 Bytes  14.02.2014 10:00:46
AECORE.DLL     : 8.1.35.0      229753 Bytes  14.02.2014 10:00:46
AEBB.DLL       : 8.1.1.4        53619 Bytes  14.02.2014 10:00:46
AVWINLL.DLL    : 14.0.3.252     23608 Bytes  14.02.2014 10:00:48
AVPREF.DLL     : 14.0.3.252     48696 Bytes  14.02.2014 10:00:47
AVREP.DLL      : 14.0.3.252    175672 Bytes  14.02.2014 10:00:47
AVARKT.DLL     : 14.0.3.336    256080 Bytes  14.02.2014 10:00:46
AVEVTLOG.DLL   : 14.0.3.336    165968 Bytes  14.02.2014 10:00:46
SQLITE3.DLL    : 3.7.0.1       394808 Bytes  14.02.2014 10:00:50
AVSMTP.DLL     : 14.0.3.252     60472 Bytes  14.02.2014 10:00:47
NETNT.DLL      : 14.0.3.252     13368 Bytes  14.02.2014 10:00:49
RCIMAGE.DLL    : 14.0.3.260   4979256 Bytes  14.02.2014 10:00:50
RCTEXT.DLL     : 14.0.3.282     72760 Bytes  14.02.2014 10:00:50

Konfiguration für den aktuellen Suchlauf:
Job Name..............................: Vollständige Systemprüfung
Konfigurationsdatei...................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Protokollierung.......................: standard
Primäre Aktion........................: Interaktiv
Sekundäre Aktion......................: Ignorieren
Durchsuche Masterbootsektoren.........: ein
Durchsuche Bootsektoren...............: ein
Bootsektoren..........................: C:, D:, 
Durchsuche aktive Programme...........: ein
Laufende Programme erweitert..........: ein
Durchsuche Registrierung..............: ein
Suche nach Rootkits...................: ein
Integritätsprüfung von Systemdateien..: aus
Prüfe alle Dateien....................: Alle Dateien
Durchsuche Archive....................: ein
Rekursionstiefe einschränken..........: 20
Archiv Smart Extensions...............: ein
Makrovirenheuristik...................: ein
Dateiheuristik........................: erweitert
Abweichende Gefahrenkategorien........: +PCK,+SPR,

Beginn des Suchlaufs: Dienstag, 18. Februar 2014  23:35

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'HDD0(C:, D:)'
    [INFO]      Es wurde kein Virus gefunden!

Der Suchlauf nach versteckten Objekten wird begonnen.

Der Suchlauf über gestartete Prozesse wird begonnen:
Durchsuche Prozess 'SearchFilterHost.exe' - '35' Modul(e) wurden durchsucht
Durchsuche Prozess 'SearchProtocolHost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'cfp.exe' - '87' Modul(e) wurden durchsucht
Durchsuche Prozess 'vssvc.exe' - '53' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '125' Modul(e) wurden durchsucht
Durchsuche Prozess 'firefox.exe' - '106' Modul(e) wurden durchsucht
Durchsuche Prozess 'avcenter.exe' - '114' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'wmpnetwk.exe' - '79' Modul(e) wurden durchsucht
Durchsuche Prozess 'SYNTPHELPER.EXE' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'SynTPLpr.exe' - '28' Modul(e) wurden durchsucht
Durchsuche Prozess 'avgnt.exe' - '90' Modul(e) wurden durchsucht
Durchsuche Prozess 'jusched.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'SynTPEnh.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'SvcGuiHlpr.exe' - '75' Modul(e) wurden durchsucht
Durchsuche Prozess 'rundll32.exe' - '43' Modul(e) wurden durchsucht
Durchsuche Prozess 'rundll32.exe' - '44' Modul(e) wurden durchsucht
Durchsuche Prozess 'fpassist.exe' - '30' Modul(e) wurden durchsucht
Durchsuche Prozess 'TFTray.exe' - '50' Modul(e) wurden durchsucht
Durchsuche Prozess 'VCDDaemon.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'tpfnf6r.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'TpShocks.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'USBDLM_usr.exe' - '26' Modul(e) wurden durchsucht
Durchsuche Prozess 'Explorer.EXE' - '171' Modul(e) wurden durchsucht
Durchsuche Prozess 'Dwm.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'taskhost.exe' - '58' Modul(e) wurden durchsucht
Durchsuche Prozess 'UI0Detect.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'SearchIndexer.exe' - '63' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '46' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'AVWEBGRD.EXE' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'avshadow.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'AcSvc.exe' - '101' Modul(e) wurden durchsucht
Durchsuche Prozess 'USBDLM.exe' - '50' Modul(e) wurden durchsucht
Durchsuche Prozess 'TFService.exe' - '92' Modul(e) wurden durchsucht
Durchsuche Prozess 'TeamViewer_Service.exe' - '101' Modul(e) wurden durchsucht
Durchsuche Prozess 'avguard.exe' - '104' Modul(e) wurden durchsucht
Durchsuche Prozess 'AcPrfMgrSvc.exe' - '75' Modul(e) wurden durchsucht
Durchsuche Prozess 'TPHKSVC.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '67' Modul(e) wurden durchsucht
Durchsuche Prozess 'sched.exe' - '54' Modul(e) wurden durchsucht
Durchsuche Prozess 'spoolsv.exe' - '90' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '36' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '147' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '80' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '116' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '83' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '99' Modul(e) wurden durchsucht
Durchsuche Prozess 'cmdagent.exe' - '99' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'ibmpmsvc.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'winlogon.exe' - '40' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsm.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsass.exe' - '76' Modul(e) wurden durchsucht
Durchsuche Prozess 'services.exe' - '42' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'wininit.exe' - '34' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'smss.exe' - '2' Modul(e) wurden durchsucht

Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen:
Die Registry wurde durchsucht ( '3408' Dateien ).


Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\' <LAPTOP-R_C>
Beginne mit der Suche in 'D:\' <LAPTOP-R_D>


Ende des Suchlaufs: Mittwoch, 19. Februar 2014  01:06
Benötigte Zeit:  1:30:53 Stunde(n)

Der Suchlauf wurde vollständig durchgeführt.

  23172 Verzeichnisse wurden überprüft
 957496 Dateien wurden geprüft
      0 Viren bzw. unerwünschte Programme wurden gefunden
      0 Dateien wurden als verdächtig eingestuft
      0 Dateien wurden gelöscht
      0 Viren bzw. unerwünschte Programme wurden repariert
      0 Dateien wurden in die Quarantäne verschoben
      0 Dateien wurden umbenannt
      0 Dateien konnten nicht durchsucht werden
 957496 Dateien ohne Befall
   5824 Archive wurden durchsucht
      0 Warnungen
      0 Hinweise
 487310 Objekte wurden beim Rootkitscan durchsucht
      0 Versteckte Objekte wurden gefunden
         
aber GMER.TXT (966.371 Bytes) muss ich in einige Teile aufteilen, dafür brauche ich noch etwas Zeit.

Gruss Regina
__________________

Alt 19.02.2014, 15:22   #4
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



Hallo,

und nun die Gmer.txt-Teile.

gmer01_0001-0598.txt:

Code:
ATTFilter
GMER 2.1.19357 - hxxp://www.gmer.net
Rootkit scan 2014-02-18 22:26:10
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1200VE-00KWT0 rev.01.03K01 111,79GB
Running: Gmer-19357.exe; Driver: C:\Users\chef\AppData\Local\Temp\fxddapow.sys


---- System - GMER 2.1 ----

SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwAdjustPrivilegesToken [0x88319FB0]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwAlpcConnectPort [0x8831A19C]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwConnectPort [0x88319310]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwCreateFile [0x88319C16]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwCreateSection [0x883199CA]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwCreateSymbolicLinkObject [0x8831AD14]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwCreateThread [0x88318CFC]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwCreateThreadEx [0x8831A3CA]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwLoadDriver [0x8831A746]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwMakeTemporaryObject [0x883195D8]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwOpenFile [0x88319DF2]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwOpenSection [0x88319872]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwSetSystemInformation [0x8831AA32]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwShutdownSystem [0x88319542]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwSystemDebugControl [0x8831975E]
SSDT            \SystemRoot\system32\drivers\TfSysMon.sys                                                                      ZwTerminateProcess [0x87C882D0]
SSDT            \SystemRoot\System32\DRIVERS\cmdguard.sys                                                                      ZwTerminateThread [0x88318F00]

---- Kernel code sections - GMER 2.1 ----

.text           ntoskrnl.exe!ZwRollbackEnlistment + 1409                                                                       82C399A5 1 Byte  [06]
.text           ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                         82C59512 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           ntoskrnl.exe!KeRemoveQueueEx + 139F                                                                            82C60994 4 Bytes  [B0, 9F, 31, 88]
.text           ntoskrnl.exe!KeRemoveQueueEx + 13C7                                                                            82C609BC 4 Bytes  [9C, A1, 31, 88]
.text           ntoskrnl.exe!KeRemoveQueueEx + 145B                                                                            82C60A50 4 Bytes  JMP B4591AD7 
.text           ntoskrnl.exe!KeRemoveQueueEx + 1477                                                                            82C60A6C 4 Bytes  [16, 9C, 31, 88]
.text           ntoskrnl.exe!KeRemoveQueueEx + 14BF                                                                            82C60AB4 4 Bytes  [CA, 99, 31, 88]
.text           ...                                                                                                            

---- User code sections - GMER 2.1 ----

.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtAlpcSendWaitReceivePort                  77C85458 5 Bytes  JMP 003CB670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtClose                                    77C85508 5 Bytes  JMP 003BD120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtLoadDriver                               77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtLoadDriver + 4                           77C85B9C 2 Bytes  [59, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtSuspendProcess                           77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!NtSuspendProcess + 4                       77C868CC 2 Bytes  [71, 71] {JNO 0x73}
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!LdrUnloadDll                               77C9C8DE 7 Bytes  JMP 003BD240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ntdll.dll!LdrLoadDll                                 77CA22AE 5 Bytes  JMP 003C7F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessW                          767B204D 5 Bytes  JMP 003C5070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessA                          767B2082 5 Bytes  JMP 003C5C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateProcessAsUserW                    767E59FF 5 Bytes  JMP 003C3BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileW                               767E6B3F 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileExW                             767EB280 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateToolhelp32Snapshot                767EFD29 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenMutexA                              767F0412 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeleteFileW                             767F1737 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!TerminateProcess                        767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualProtect                          767F2C15 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateMutexW                            767F33D6 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeleteFileA                             767F43CA 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenProcess                             767F54E7 6 Bytes  JMP 7085000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileExW                             767F8DF8 6 Bytes  JMP 7088000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateDirectoryW                        767F99D1 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadResource                            767F9CBA 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DeviceIoControl                         767FB96D 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualAlloc                            767FC42A 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetProcAddress                          767FCC84 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateMutexA                            767FD7C4 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadLibraryA                            767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateThread                            767FDCB2 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateFileW                             767FE895 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateFileA                             767FEA51 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WideCharToMultiByte                     767FEEEA 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MultiByteToWideChar                     767FEEF7 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!LoadLibraryW                            767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WriteFile                               768053DE 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetVolumeInformationW                   76806191 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!OpenMutexW                              76808ECD 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!TerminateThread                         7680BBF1 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileExA                             76813F68 6 Bytes  JMP 708B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!GetVolumeInformationA                   76815CB2 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileA                               76816D4A 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileW                               76816EC6 6 Bytes  JMP 708E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateDirectoryA                        768180D5 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WriteProcessMemory                      7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!DebugActiveProcess                      7683738C 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!MoveFileA                               7683BF49 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CopyFileExA                             7683CDA1 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!WinExec                                 7683ED9E 6 Bytes  JMP 7178000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!CreateRemoteThread                      7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!VirtualProtectEx                        7683FD39 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] kernel32.dll!SetThreadContext                        768408B3 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!DeleteDC                                   77DF6EAA 5 Bytes  JMP 003C8D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!GetPixel                                   77DFC3D5 5 Bytes  JMP 003C8AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!CreateDCA                                  77DFCCA9 5 Bytes  JMP 003C9E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] GDI32.dll!CreateDCW                                  77DFCF79 5 Bytes  JMP 003C9D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!RegisterRawInputDevices                   76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!RegisterRawInputDevices + 4               76635B56 2 Bytes  [4D, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetWindowTextA                            76636EED 6 Bytes  JMP 7100000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetAsyncKeyState                          7663A256 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetWindowTextW                            7663B8C5 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!CreateWindowExA                           7663BF40 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowsHookExW                         7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!CreateWindowExW                           7663EC7C 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!ShowWindow                                7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!ShowWindow + 4                            7663F2AD 2 Bytes  [F9, 70]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWinEventHook                           766424DC 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyState                               76642B4D 6 Bytes  JMP 7169000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DrawTextW                                 76645B6A 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowTextW                            7664612B 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DrawTextA                                 7665AE29 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowTextA                            76660C5B 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyboardState                          76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!GetKeyboardState + 4                      7666694A 2 Bytes  [62, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!SetWindowsHookExA                         76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!DdeConnect                                7667EB5B 6 Bytes  JMP 7160000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] USER32.dll!EndTask                                   7667FD66 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenSCManagerW                          7671CA04 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyA                             7671CBB5 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyA                           7671CCA1 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueA                          7671CDB2 5 Bytes  JMP 7124000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegDeleteKeyW                           767211F2 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyExA                         767213E9 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegSetValueExA                          76721433 6 Bytes  JMP 712A000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegSetValueExW                          76721456 6 Bytes  JMP 7127000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyW                           76721494 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyW                             767223D9 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenSCManagerA                          76722B58 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LookupPrivilegeValueA                   76723FCA 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegCreateKeyExW                         7672407E 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!AdjustTokenPrivileges                   7672410E 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LookupPrivilegeValueW                   76724133 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!OpenProcessToken                        76724284 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueW                          76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueW + 4                      76724438 2 Bytes  [20, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyExW                           7672460D 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueExW                        7672462D 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegQueryValueExA                        7672486F 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegOpenKeyExA                           76724887 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateServiceW                          767370C4 6 Bytes  JMP 7154000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!RegDeleteKeyA                           7673A84F 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateProcessAsUserA                    76752642 5 Bytes  JMP 003C44D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!CreateServiceA                          76753264 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] ADVAPI32.dll!LsaRemoveAccountRights                  767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteW                            76E63C31 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!Shell_NotifyIconW                        76E70171 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteExW                          76E71DF6 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteEx                           7709748A 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!ShellExecuteA                            77097525 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] SHELL32.dll!Shell_NotifyIcon                         77098F9E 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] WININET.dll!InternetOpenUrlA                         7696E1C6 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Lenovo\Access Connections\AcSvc.exe[416] WININET.dll!InternetOpenUrlW                         769CDC08 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\csrss.exe[460] ntdll.dll!NtAlpcSendWaitReceivePort                                         77C85458 5 Bytes  JMP 75E21BA0 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePort                                            77C86458 5 Bytes  JMP 75E21450 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePortEx                                          77C86468 5 Bytes  JMP 75E217F0 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtAlpcSendWaitReceivePort                                       77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtClose                                                         77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtLoadDriver                                                    77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtLoadDriver + 4                                                77C85B9C 2 Bytes  [5A, 71]
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtSuspendProcess                                                77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!NtSuspendProcess + 4                                            77C868CC 2 Bytes  [75, 71] {JNZ 0x73}
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrUnloadDll                                                    77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] ntdll.dll!LdrLoadDll                                                      77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessW                                               767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessA                                               767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateProcessAsUserW                                         767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileW                                                    767E6B3F 6 Bytes  JMP 70F0000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExW                                                  767EB280 6 Bytes  JMP 70EA000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateToolhelp32Snapshot                                     767EFD29 6 Bytes  JMP 7111000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenMutexA                                                   767F0412 6 Bytes  JMP 70C0000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!DeleteFileW                                                  767F1737 6 Bytes  JMP 70A8000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!TerminateProcess                                             767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualProtect                                               767F2C15 6 Bytes  JMP 7108000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateMutexW                                                 767F33D6 6 Bytes  JMP 70C3000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!DeleteFileA                                                  767F43CA 6 Bytes  JMP 70AB000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenProcess                                                  767F54E7 6 Bytes  JMP 708A000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileExW                                                  767F8DF8 6 Bytes  JMP 708D000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateDirectoryW                                             767F99D1 6 Bytes  JMP 70DB000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadResource                                                 767F9CBA 6 Bytes  JMP 70F6000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!DeviceIoControl                                              767FB96D 6 Bytes  JMP 70E1000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualAlloc                                                 767FC42A 6 Bytes  JMP 710B000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!GetProcAddress                                               767FCC84 6 Bytes  JMP 714A000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateMutexA                                                 767FD7C4 6 Bytes  JMP 70C6000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadLibraryA                                                 767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateThread                                                 767FDCB2 6 Bytes  JMP 710E000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateFileW                                                  767FE895 6 Bytes  JMP 7117000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateFileA                                                  767FEA51 6 Bytes  JMP 7114000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!WideCharToMultiByte                                          767FEEEA 6 Bytes  JMP 7099000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!MultiByteToWideChar                                          767FEEF7 6 Bytes  JMP 70BA000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!LoadLibraryW                                                 767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!WriteFile                                                    768053DE 6 Bytes  JMP 70D8000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!GetVolumeInformationW                                        76806191 6 Bytes  JMP 7144000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!OpenMutexW                                                   76808ECD 6 Bytes  JMP 70BD000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!TerminateThread                                              7680BBF1 6 Bytes  JMP 7173000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileExA                                                  76813F68 6 Bytes  JMP 7090000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!GetVolumeInformationA                                        76815CB2 6 Bytes  JMP 7147000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileA                                                    76816D4A 6 Bytes  JMP 70F3000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileW                                                    76816EC6 6 Bytes  JMP 7093000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateDirectoryA                                             768180D5 6 Bytes  JMP 70DE000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!WriteProcessMemory                                           7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!DebugActiveProcess                                           7683738C 6 Bytes  JMP 7170000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!MoveFileA                                                    7683BF49 6 Bytes  JMP 7096000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExA                                                  7683CDA1 4 Bytes  JMP EC001E25 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CopyFileExA + 5                                              7683CDA6 1 Byte  [70]
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!WinExec                                                      7683ED9E 6 Bytes  JMP 717C000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!CreateRemoteThread                                           7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!VirtualProtectEx                                             7683FD39 6 Bytes  JMP 715E000A 
.text           C:\Windows\system32\wininit.exe[512] kernel32.dll!SetThreadContext                                             768408B3 6 Bytes  JMP 70D5000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!RegisterRawInputDevices                                        76635B52 5 Bytes  JMP 10018F00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetWindowTextA                                                 76636EED 6 Bytes  JMP 70FF000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SystemParametersInfoA                                          766380E0 7 Bytes  JMP 1001C690 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetParent                                                      76638314 5 Bytes  JMP 10018980 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!EnableWindow                                                   76638D02 5 Bytes  JMP 10017EA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!MoveWindow                                                     76638D29 5 Bytes  JMP 10018C20 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetAsyncKeyState                                               7663A256 5 Bytes  JMP 10019120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!RegisterHotKey                                                 7663AA19 5 Bytes  JMP 10018140 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!PostThreadMessageA                                             7663AD09 5 Bytes  JMP 1001B980 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageA                                                   7663AD60 5 Bytes  JMP 1001B440 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!PostMessageA                                                   7663B446 5 Bytes  JMP 1001BEC0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetWindowTextW                                                 7663B8C5 6 Bytes  JMP 70FC000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!CreateWindowExA                                                7663BF40 6 Bytes  JMP 70B1000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendNotifyMessageW                                             7663C88A 5 Bytes  JMP 1001A160 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SystemParametersInfoW                                          7663E09A 7 Bytes  JMP 1001C470 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExW                                              7663E30C 5 Bytes  JMP 1001C8B0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageTimeoutW                                            7663E459 5 Bytes  JMP 1001AC20 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!CreateWindowExW                                                7663EC7C 6 Bytes  JMP 70AE000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!PostThreadMessageW                                             7663EEFC 5 Bytes  JMP 1001B6E0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!ShowWindow                                                     7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!ShowWindow + 4                                                 7663F2AD 2 Bytes  [F8, 70]
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetWinEventHook                                                766424DC 5 Bytes  JMP 1001C160 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetKeyState                                                    76642B4D 5 Bytes  JMP 100193D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageCallbackW                                           76642F7B 5 Bytes  JMP 1001A6A0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!PostMessageW                                                   7664447B 5 Bytes  JMP 1001BC20 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageW                                                   76645539 5 Bytes  JMP 1001B1A0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!DrawTextW                                                      76645B6A 6 Bytes  JMP 70B4000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowTextW                                                 7664612B 6 Bytes  JMP 709C000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetClipboardData                                               76652BA7 5 Bytes  JMP 10018370 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendNotifyMessageA                                             7665493C 5 Bytes  JMP 1001A400 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!mouse_event                                                    76656209 5 Bytes  JMP 100297C0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetClipboardViewer                                             76656FF6 5 Bytes  JMP 10018780 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendDlgItemMessageW                                            766570D8 5 Bytes  JMP 10019C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendDlgItemMessageA                                            76657241 5 Bytes  JMP 10019EB0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!DrawTextA                                                      7665AE29 6 Bytes  JMP 70B7000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowTextA                                                 76660C5B 6 Bytes  JMP 709F000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!GetKeyboardState                                               76666946 5 Bytes  JMP 10019680 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!BlockInput                                                     76666A99 5 Bytes  JMP 10018580 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SetWindowsHookExA                                              76666D0C 5 Bytes  JMP 1001CB20 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageTimeoutA                                            76666DA9 5 Bytes  JMP 1001AEE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendInput                                                      76667019 5 Bytes  JMP 10019930 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!DdeConnect                                                     7667EB5B 6 Bytes  JMP 7161000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!EndTask                                                        7667FD66 6 Bytes  JMP 7179000A 
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!ExitWindowsEx                                                  766806C7 5 Bytes  JMP 10017C90 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!keybd_event                                                    7668EC3B 5 Bytes  JMP 100299D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] USER32.dll!SendMessageCallbackA                                           76693E8B 5 Bytes  JMP 1001A960 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!DeleteDC                                                        77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!BitBlt                                                          77DF72C0 5 Bytes  JMP 10029530 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!GetPixel                                                        77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!MaskBlt                                                         77DFC7AD 5 Bytes  JMP 10029280 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!CreateDCA                                                       77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!CreateDCW                                                       77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!StretchBlt                                                      77DFF467 5 Bytes  JMP 10028D50 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] GDI32.dll!PlgBlt                                                          77E1026A 5 Bytes  JMP 10028FF0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenSCManagerW                                               7671CA04 6 Bytes  JMP 7102000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyA                                                  7671CBB5 6 Bytes  JMP 7135000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyA                                                7671CCA1 6 Bytes  JMP 713B000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueA                                               7671CDB2 5 Bytes  JMP 7123000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegDeleteKeyW                                                767211F2 6 Bytes  JMP 70A2000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyExA                                              767213E9 6 Bytes  JMP 7141000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegSetValueExA                                               76721433 6 Bytes  JMP 7129000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegSetValueExW                                               76721456 6 Bytes  JMP 7126000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyW                                                76721494 6 Bytes  JMP 7138000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyW                                                  767223D9 6 Bytes  JMP 7132000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenSCManagerA                                               76722B58 6 Bytes  JMP 7105000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LookupPrivilegeValueA                                        76723FCA 6 Bytes  JMP 70CF000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegCreateKeyExW                                              7672407E 6 Bytes  JMP 713E000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!AdjustTokenPrivileges                                        7672410E 6 Bytes  JMP 70C9000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LookupPrivilegeValueW                                        76724133 6 Bytes  JMP 70CC000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!OpenProcessToken                                             76724284 6 Bytes  JMP 70D2000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueW                                               76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueW + 4                                           76724438 2 Bytes  [1F, 71]
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyExW                                                7672460D 6 Bytes  JMP 712C000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueExW                                             7672462D 6 Bytes  JMP 711A000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegQueryValueExA                                             7672486F 6 Bytes  JMP 711D000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegOpenKeyExA                                                76724887 6 Bytes  JMP 712F000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateServiceW                                               767370C4 6 Bytes  JMP 7155000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!RegDeleteKeyA                                                7673A84F 6 Bytes  JMP 70A5000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateProcessAsUserA                                         76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!CreateServiceA                                               76753264 6 Bytes  JMP 7158000A 
.text           C:\Windows\system32\wininit.exe[512] ADVAPI32.dll!LsaRemoveAccountRights                                       767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteW                                                 76E63C31 6 Bytes  JMP 7185000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!Shell_NotifyIconW                                             76E70171 6 Bytes  JMP 70E4000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteExW                                               76E71DF6 6 Bytes  JMP 717F000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteEx                                                7709748A 6 Bytes  JMP 7182000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!ShellExecuteA                                                 77097525 6 Bytes  JMP 7188000A 
.text           C:\Windows\system32\wininit.exe[512] SHELL32.dll!Shell_NotifyIcon                                              77098F9E 6 Bytes  JMP 70E7000A 
.text           C:\Windows\system32\csrss.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort                                         77C85458 5 Bytes  JMP 75E21BA0 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePort                                            77C86458 5 Bytes  JMP 75E21450 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePortEx                                          77C86468 5 Bytes  JMP 75E217F0 C:\Windows\system32\cmdcsr.dll
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 7150000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 714A000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7171000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 7120000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 7108000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 7168000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 7123000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 710B000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 70EA000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExW                                                 767F8DF8 4 Bytes  JMP EC001E25 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExW + 5                                             767F8DFD 1 Byte  [70]
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 713B000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 7156000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 7141000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 716B000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 7126000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 716E000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 7177000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7174000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70F9000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 711A000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 7138000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 711D000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 70F0000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 7153000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 70F3000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 713E000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 70F6000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 714D000A 
.text           C:\Windows\system32\winlogon.exe[556] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 7135000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 715F000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 715C000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 7111000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 710E000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [58, 71]
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 7114000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70FC000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 7117000A 
.text           C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70FF000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7162000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 7183000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 7102000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7189000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7186000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7192000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 7165000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 712F000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 7129000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 712C000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 7132000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [7F, 71] {JG 0x73}
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 718C000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 717A000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 717D000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 718F000A 
.text           C:\Windows\system32\winlogon.exe[556] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7105000A 
.text           C:\Windows\system32\winlogon.exe[556] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 7144000A 
.text           C:\Windows\system32\winlogon.exe[556] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 7147000A 
.text           C:\Windows\system32\services.exe[596] services.exe                                                             00111608 4 Bytes  [20, E2, 01, 10] {AND DL, AH; ADD [EAX], EDX}
.text           C:\Windows\system32\services.exe[596] services.exe                                                             00111618 4 Bytes  [00, DD, 01, 10] {ADD CH, BL; ADD [EAX], EDX}
.text           C:\Windows\system32\services.exe[596] services.exe                                                             00111638 4 Bytes  [40, E5, 01, 10]
.text           C:\Windows\system32\services.exe[596] services.exe                                                             00111648 4 Bytes  [80, DF, 01, 10]
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\services.exe[596] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\services.exe[596] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\services.exe[596] RPCRT4.dll!RpcServerRegisterIfEx                                         764608A4 5 Bytes  JMP 1001F870 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\services.exe[596] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\services.exe[596] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\services.exe[596] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\services.exe[596] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\services.exe[596] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\services.exe[596] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort                                         77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtClose                                                           77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver                                                      77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtLoadDriver + 4                                                  77C85B9C 2 Bytes  [59, 71]
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess                                                  77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!NtSuspendProcess + 4                                              77C868CC 2 Bytes  [71, 71] {JNO 0x73}
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll                                                      77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] ntdll.dll!LdrLoadDll                                                        77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessW                                                 767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessA                                                 767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateProcessAsUserW                                           767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileW                                                      767E6B3F 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileExW                                                    767EB280 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateToolhelp32Snapshot                                       767EFD29 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenMutexA                                                     767F0412 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!DeleteFileW                                                    767F1737 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateProcess                                               767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtect                                                 767F2C15 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateMutexW                                                   767F33D6 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!DeleteFileA                                                    767F43CA 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenProcess                                                    767F54E7 6 Bytes  JMP 708B000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileExW                                                    767F8DF8 6 Bytes  JMP 708E000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateDirectoryW                                               767F99D1 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadResource                                                   767F9CBA 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!DeviceIoControl                                                767FB96D 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualAlloc                                                   767FC42A 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!GetProcAddress                                                 767FCC84 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateMutexA                                                   767FD7C4 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryA                                                   767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateThread                                                   767FDCB2 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileW                                                    767FE895 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateFileA                                                    767FEA51 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!WideCharToMultiByte                                            767FEEEA 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!MultiByteToWideChar                                            767FEEF7 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!LoadLibraryW                                                   767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!WriteFile                                                      768053DE 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!GetVolumeInformationW                                          76806191 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!OpenMutexW                                                     76808ECD 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!TerminateThread                                                7680BBF1 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileExA                                                    76813F68 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!GetVolumeInformationA                                          76815CB2 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileA                                                      76816D4A 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileW                                                      76816EC6 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateDirectoryA                                               768180D5 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!WriteProcessMemory                                             7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!DebugActiveProcess                                             7683738C 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!MoveFileA                                                      7683BF49 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CopyFileExA                                                    7683CDA1 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!WinExec                                                        7683ED9E 6 Bytes  JMP 7178000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!CreateRemoteThread                                             7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!VirtualProtectEx                                               7683FD39 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\lsass.exe[612] kernel32.dll!SetThreadContext                                               768408B3 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!RegisterRawInputDevices                                          76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!RegisterRawInputDevices + 4                                      76635B56 2 Bytes  [4D, 71]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetWindowTextA                                                   76636EED 6 Bytes  JMP 7100000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetAsyncKeyState                                                 7663A256 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetWindowTextW                                                   7663B8C5 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!CreateWindowExA                                                  7663BF40 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW                                                7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!CreateWindowExW                                                  7663EC7C 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!ShowWindow                                                       7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!ShowWindow + 4                                                   7663F2AD 2 Bytes  [F9, 70]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!SetWinEventHook                                                  766424DC 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyState                                                      76642B4D 6 Bytes  JMP 7169000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!DrawTextW                                                        76645B6A 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowTextW                                                   7664612B 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!DrawTextA                                                        7665AE29 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowTextA                                                   76660C5B 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyboardState                                                 76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!GetKeyboardState + 4                                             7666694A 2 Bytes  [62, 71]
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA                                                76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!DdeConnect                                                       7667EB5B 6 Bytes  JMP 7160000A 
.text           C:\Windows\system32\lsass.exe[612] USER32.dll!EndTask                                                          7667FD66 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\lsass.exe[612] GDI32.dll!DeleteDC                                                          77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] GDI32.dll!GetPixel                                                          77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] GDI32.dll!CreateDCA                                                         77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] GDI32.dll!CreateDCW                                                         77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenSCManagerW                                                 7671CA04 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyA                                                    7671CBB5 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyA                                                  7671CCA1 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueA                                                 7671CDB2 5 Bytes  JMP 7124000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegDeleteKeyW                                                  767211F2 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExA                                                767213E9 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegSetValueExA                                                 76721433 6 Bytes  JMP 712A000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegSetValueExW                                                 76721456 6 Bytes  JMP 7127000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyW                                                  76721494 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyW                                                    767223D9 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenSCManagerA                                                 76722B58 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LookupPrivilegeValueA                                          76723FCA 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegCreateKeyExW                                                7672407E 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!AdjustTokenPrivileges                                          7672410E 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LookupPrivilegeValueW                                          76724133 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!OpenProcessToken                                               76724284 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueW                                                 76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueW + 4                                             76724438 2 Bytes  [20, 71]
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExW                                                  7672460D 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueExW                                               7672462D 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegQueryValueExA                                               7672486F 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegOpenKeyExA                                                  76724887 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceW                                                 767370C4 6 Bytes  JMP 7154000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!RegDeleteKeyA                                                  7673A84F 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateProcessAsUserA                                           76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!CreateServiceA                                                 76753264 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\lsass.exe[612] ADVAPI32.dll!LsaRemoveAccountRights                                         767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteW                                                   76E63C31 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!Shell_NotifyIconW                                               76E70171 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteExW                                                 76E71DF6 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteEx                                                  7709748A 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!ShellExecuteA                                                   77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\lsass.exe[612] SHELL32.dll!Shell_NotifyIcon                                                77098F9E 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort                                           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtClose                                                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver                                                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtLoadDriver + 4                                                    77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess                                                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!NtSuspendProcess + 4                                                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrUnloadDll                                                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] ntdll.dll!LdrLoadDll                                                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
         

Alt 19.02.2014, 15:34   #5
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer02_0599-1195.txt:

Code:
ATTFilter
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessW                                                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessA                                                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateProcessAsUserW                                             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileW                                                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileExW                                                      767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateToolhelp32Snapshot                                         767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenMutexA                                                       767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!DeleteFileW                                                      767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateProcess                                                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualProtect                                                   767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateMutexW                                                     767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!DeleteFileA                                                      767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenProcess                                                      767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileExW                                                      767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateDirectoryW                                                 767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadResource                                                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!DeviceIoControl                                                  767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualAlloc                                                     767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!GetProcAddress                                                   767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateMutexA                                                     767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryA                                                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateThread                                                     767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateFileW                                                      767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateFileA                                                      767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!WideCharToMultiByte                                              767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!MultiByteToWideChar                                              767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!LoadLibraryW                                                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!WriteFile                                                        768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!GetVolumeInformationW                                            76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!OpenMutexW                                                       76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!TerminateThread                                                  7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileExA                                                      76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!GetVolumeInformationA                                            76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileA                                                        76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileW                                                        76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateDirectoryA                                                 768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!WriteProcessMemory                                               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!DebugActiveProcess                                               7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!MoveFileA                                                        7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CopyFileExA                                                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!WinExec                                                          7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!CreateRemoteThread                                               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!VirtualProtectEx                                                 7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\lsm.exe[620] kernel32.dll!SetThreadContext                                                 768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!RegisterRawInputDevices                                            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!RegisterRawInputDevices + 4                                        76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetWindowTextA                                                     76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetAsyncKeyState                                                   7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetWindowTextW                                                     7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!CreateWindowExA                                                    7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExW                                                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!CreateWindowExW                                                    7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!ShowWindow                                                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!ShowWindow + 4                                                     7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!SetWinEventHook                                                    766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyState                                                        76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!DrawTextW                                                          76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowTextW                                                     7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!DrawTextA                                                          7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowTextA                                                     76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyboardState                                                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!GetKeyboardState + 4                                               7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!SetWindowsHookExA                                                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!DdeConnect                                                         7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\lsm.exe[620] USER32.dll!EndTask                                                            7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\lsm.exe[620] GDI32.dll!DeleteDC                                                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] GDI32.dll!GetPixel                                                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] GDI32.dll!CreateDCA                                                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] GDI32.dll!CreateDCW                                                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenSCManagerW                                                   7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyA                                                      7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyA                                                    7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueA                                                   7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegDeleteKeyW                                                    767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyExA                                                  767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegSetValueExA                                                   76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegSetValueExW                                                   76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyW                                                    76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyW                                                      767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenSCManagerA                                                   76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LookupPrivilegeValueA                                            76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegCreateKeyExW                                                  7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!AdjustTokenPrivileges                                            7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LookupPrivilegeValueW                                            76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!OpenProcessToken                                                 76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueW                                                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueW + 4                                               76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyExW                                                    7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueExW                                                 7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegQueryValueExA                                                 7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegOpenKeyExA                                                    76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceW                                                   767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!RegDeleteKeyA                                                    7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateProcessAsUserA                                             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!CreateServiceA                                                   76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\lsm.exe[620] ADVAPI32.dll!LsaRemoveAccountRights                                           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteW                                                     76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!Shell_NotifyIconW                                                 76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteExW                                                   76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteEx                                                    7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!ShellExecuteA                                                     77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\lsm.exe[620] SHELL32.dll!Shell_NotifyIcon                                                  77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtAlpcSendWaitReceivePort                                       77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtClose                                                         77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtLoadDriver                                                    77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtLoadDriver + 4                                                77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtSuspendProcess                                                77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!NtSuspendProcess + 4                                            77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!LdrUnloadDll                                                    77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] ntdll.dll!LdrLoadDll                                                      77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessW                                               767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessA                                               767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateProcessAsUserW                                         767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileW                                                    767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileExW                                                  767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateToolhelp32Snapshot                                     767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenMutexA                                                   767F0412 6 Bytes  JMP 70BA000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!DeleteFileW                                                  767F1737 6 Bytes  JMP 70A2000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!TerminateProcess                                             767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualProtect                                               767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateMutexW                                                 767F33D6 6 Bytes  JMP 70BD000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!DeleteFileA                                                  767F43CA 6 Bytes  JMP 70A5000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenProcess                                                  767F54E7 6 Bytes  JMP 707F000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileExW                                                  767F8DF8 6 Bytes  JMP 7082000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateDirectoryW                                             767F99D1 6 Bytes  JMP 70D5000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadResource                                                 767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!DeviceIoControl                                              767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualAlloc                                                 767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!GetProcAddress                                               767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateMutexA                                                 767FD7C4 6 Bytes  JMP 70C0000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadLibraryA                                                 767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateThread                                                 767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateFileW                                                  767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateFileA                                                  767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!WideCharToMultiByte                                          767FEEEA 6 Bytes  JMP 708E000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!MultiByteToWideChar                                          767FEEF7 6 Bytes  JMP 70B4000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!LoadLibraryW                                                 767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!WriteFile                                                    768053DE 6 Bytes  JMP 70D2000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!GetVolumeInformationW                                        76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!OpenMutexW                                                   76808ECD 6 Bytes  JMP 70B7000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!TerminateThread                                              7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileExA                                                  76813F68 6 Bytes  JMP 7085000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!GetVolumeInformationA                                        76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileA                                                    76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileW                                                    76816EC6 6 Bytes  JMP 7088000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateDirectoryA                                             768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!WriteProcessMemory                                           7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!DebugActiveProcess                                           7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!MoveFileA                                                    7683BF49 6 Bytes  JMP 708B000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CopyFileExA                                                  7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!WinExec                                                      7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!CreateRemoteThread                                           7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx                                             7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[748] kernel32.dll!SetThreadContext                                             768408B3 6 Bytes  JMP 70CF000A 
.text           C:\Windows\system32\svchost.exe[748] RPCRT4.dll!RpcServerRegisterIfEx                                          764608A4 5 Bytes  JMP 1001F870 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!RegisterRawInputDevices                                        76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!RegisterRawInputDevices + 4                                    76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetWindowTextA                                                 76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetAsyncKeyState                                               7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetWindowTextW                                                 7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!CreateWindowExA                                                7663BF40 6 Bytes  JMP 70AB000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowsHookExW                                              7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!CreateWindowExW                                                7663EC7C 6 Bytes  JMP 70A8000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!ShowWindow                                                     7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!ShowWindow + 4                                                 7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!SetWinEventHook                                                766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyState                                                    76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!DrawTextW                                                      76645B6A 6 Bytes  JMP 70AE000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowTextW                                                 7664612B 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!DrawTextA                                                      7665AE29 6 Bytes  JMP 70B1000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowTextA                                                 76660C5B 6 Bytes  JMP 7099000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyboardState                                               76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!GetKeyboardState + 4                                           7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!SetWindowsHookExA                                              76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!DdeConnect                                                     7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[748] USER32.dll!EndTask                                                        7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[748] GDI32.dll!DeleteDC                                                        77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] GDI32.dll!GetPixel                                                        77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] GDI32.dll!CreateDCA                                                       77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] GDI32.dll!CreateDCW                                                       77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenSCManagerW                                               7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyA                                                  7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyA                                                7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueA                                               7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegDeleteKeyW                                                767211F2 6 Bytes  JMP 709C000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExA                                              767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegSetValueExA                                               76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegSetValueExW                                               76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW                                                76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyW                                                  767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenSCManagerA                                               76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LookupPrivilegeValueA                                        76723FCA 6 Bytes  JMP 70C9000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExW                                              7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!AdjustTokenPrivileges                                        7672410E 6 Bytes  JMP 70C3000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LookupPrivilegeValueW                                        76724133 6 Bytes  JMP 70C6000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!OpenProcessToken                                             76724284 6 Bytes  JMP 70CC000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueW                                               76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueW + 4                                           76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExW                                                7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueExW                                             7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegQueryValueExA                                             7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExA                                                76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceW                                               767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!RegDeleteKeyA                                                7673A84F 6 Bytes  JMP 709F000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateProcessAsUserA                                         76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!CreateServiceA                                               76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[748] ADVAPI32.dll!LsaRemoveAccountRights                                       767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteW                                                 76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!Shell_NotifyIconW                                             76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteExW                                               76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteEx                                                7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!ShellExecuteA                                                 77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[748] SHELL32.dll!Shell_NotifyIcon                                              77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\ibmpmsvc.exe[812] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort                         77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtClose                                           77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtLoadDriver                                      77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtLoadDriver + 4                                  77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtSuspendProcess                                  77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!NtSuspendProcess + 4                              77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!LdrUnloadDll                                      77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ntdll.dll!LdrLoadDll                                        77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessW                                 767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessA                                 767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateProcessAsUserW                           767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileW                                      767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileExW                                    767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateToolhelp32Snapshot                       767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenMutexA                                     767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeleteFileW                                    767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!TerminateProcess                               767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualProtect                                 767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateMutexW                                   767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeleteFileA                                    767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenProcess                                    767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileExW                                    767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateDirectoryW                               767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadResource                                   767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DeviceIoControl                                767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualAlloc                                   767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetProcAddress                                 767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateMutexA                                   767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadLibraryA                                   767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateThread                                   767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateFileW                                    767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateFileA                                    767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WideCharToMultiByte                            767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MultiByteToWideChar                            767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!LoadLibraryW                                   767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WriteFile                                      768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetVolumeInformationW                          76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!OpenMutexW                                     76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!TerminateThread                                7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileExA                                    76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!GetVolumeInformationA                          76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileA                                      76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileW                                      76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateDirectoryA                               768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WriteProcessMemory                             7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!DebugActiveProcess                             7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!MoveFileA                                      7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CopyFileExA                                    7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!WinExec                                        7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!CreateRemoteThread                             7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!VirtualProtectEx                               7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] kernel32.dll!SetThreadContext                               768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!RegisterRawInputDevices                          76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!RegisterRawInputDevices + 4                      76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetWindowTextA                                   76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetAsyncKeyState                                 7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetWindowTextW                                   7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!CreateWindowExA                                  7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowsHookExW                                7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!CreateWindowExW                                  7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!ShowWindow                                       7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!ShowWindow + 4                                   7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWinEventHook                                  766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyState                                      76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DrawTextW                                        76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowTextW                                   7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DrawTextA                                        7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowTextA                                   76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyboardState                                 76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!GetKeyboardState + 4                             7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!SetWindowsHookExA                                76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!DdeConnect                                       7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] USER32.dll!EndTask                                          7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!DeleteDC                                          77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!GetPixel                                          77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!CreateDCA                                         77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] GDI32.dll!CreateDCW                                         77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenSCManagerW                                 7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyA                                    7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyA                                  7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueA                                 7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegDeleteKeyW                                  767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyExA                                767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegSetValueExA                                 76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegSetValueExW                                 76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyW                                  76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyW                                    767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenSCManagerA                                 76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LookupPrivilegeValueA                          76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegCreateKeyExW                                7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!AdjustTokenPrivileges                          7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LookupPrivilegeValueW                          76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!OpenProcessToken                               76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueW                                 76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueW + 4                             76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyExW                                  7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueExW                               7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegQueryValueExA                               7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegOpenKeyExA                                  76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateServiceW                                 767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!RegDeleteKeyA                                  7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateProcessAsUserA                           76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!CreateServiceA                                 76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] ADVAPI32.dll!LsaRemoveAccountRights                         767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteW                                   76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!Shell_NotifyIconW                               76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteExW                                 76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteEx                                  7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!ShellExecuteA                                   77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[824] SHELL32.dll!Shell_NotifyIcon                                77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtAlpcSendWaitReceivePort                                       77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtClose                                                         77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtLoadDriver                                                    77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtLoadDriver + 4                                                77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtSuspendProcess                                                77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!NtSuspendProcess + 4                                            77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll                                                    77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] ntdll.dll!LdrLoadDll                                                      77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessW                                               767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessA                                               767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateProcessAsUserW                                         767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileW                                                    767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileExW                                                  767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateToolhelp32Snapshot                                     767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenMutexA                                                   767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!DeleteFileW                                                  767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!TerminateProcess                                             767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualProtect                                               767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateMutexW                                                 767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!DeleteFileA                                                  767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenProcess                                                  767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileExW                                                  767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateDirectoryW                                             767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadResource                                                 767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!DeviceIoControl                                              767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualAlloc                                                 767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!GetProcAddress                                               767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateMutexA                                                 767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadLibraryA                                                 767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateThread                                                 767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateFileW                                                  767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateFileA                                                  767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!WideCharToMultiByte                                          767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!MultiByteToWideChar                                          767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!LoadLibraryW                                                 767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!WriteFile                                                    768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!GetVolumeInformationW                                        76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!OpenMutexW                                                   76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!TerminateThread                                              7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileExA                                                  76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!GetVolumeInformationA                                        76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileA                                                    76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileW                                                    76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateDirectoryA                                             768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!WriteProcessMemory                                           7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!DebugActiveProcess                                           7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!MoveFileA                                                    7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CopyFileExA                                                  7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!WinExec                                                      7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!CreateRemoteThread                                           7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx                                             7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[868] kernel32.dll!SetThreadContext                                             768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[868] RPCRT4.dll!RpcServerRegisterIfEx                                          764608A4 5 Bytes  JMP 1001F870 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!RegisterRawInputDevices                                        76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!RegisterRawInputDevices + 4                                    76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetWindowTextA                                                 76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetAsyncKeyState                                               7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetWindowTextW                                                 7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!CreateWindowExA                                                7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW                                              7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!CreateWindowExW                                                7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!ShowWindow                                                     7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!ShowWindow + 4                                                 7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!SetWinEventHook                                                766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyState                                                    76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!DrawTextW                                                      76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowTextW                                                 7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!DrawTextA                                                      7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowTextA                                                 76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyboardState                                               76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!GetKeyboardState + 4                                           7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA                                              76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!DdeConnect                                                     7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[868] USER32.dll!EndTask                                                        7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[868] GDI32.dll!DeleteDC                                                        77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] GDI32.dll!GetPixel                                                        77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] GDI32.dll!CreateDCA                                                       77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] GDI32.dll!CreateDCW                                                       77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenSCManagerW                                               7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA                                                  7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA                                                7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueA                                               7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegDeleteKeyW                                                767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA                                              767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegSetValueExA                                               76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegSetValueExW                                               76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW                                                76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW                                                  767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenSCManagerA                                               76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LookupPrivilegeValueA                                        76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW                                              7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!AdjustTokenPrivileges                                        7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LookupPrivilegeValueW                                        76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!OpenProcessToken                                             76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueW                                               76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueW + 4                                           76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW                                                7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueExW                                             7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegQueryValueExA                                             7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA                                                76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceW                                               767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!RegDeleteKeyA                                                7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateProcessAsUserA                                         76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceA                                               76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[868] ADVAPI32.dll!LsaRemoveAccountRights                                       767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[868] rpcss.dll!CoGetComCatalog                                                 752535EC 8 Bytes  JMP EDF01001 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteW                                                 76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!Shell_NotifyIconW                                             76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteExW                                               76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteEx                                                7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!ShellExecuteA                                                 77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[868] SHELL32.dll!Shell_NotifyIcon                                              77098F9E 6 Bytes  JMP 70EE000A 
.text           E:\FRST.exe[884] ntdll.dll!NtAlpcSendWaitReceivePort                                                           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] ntdll.dll!NtClose                                                                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] ntdll.dll!NtLoadDriver                                                                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] ntdll.dll!NtLoadDriver + 4                                                                    77C85B9C 2 Bytes  [5F, 71]
.text           E:\FRST.exe[884] ntdll.dll!NtSuspendProcess                                                                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] ntdll.dll!NtSuspendProcess + 4                                                                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           E:\FRST.exe[884] ntdll.dll!LdrUnloadDll                                                                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] ntdll.dll!LdrLoadDll                                                                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] kernel32.dll!CreateProcessW                                                                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] kernel32.dll!CreateProcessA                                                                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] kernel32.dll!CreateProcessAsUserW                                                             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] kernel32.dll!CopyFileW                                                                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           E:\FRST.exe[884] kernel32.dll!CopyFileExW                                                                      767EB280 6 Bytes  JMP 70F1000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateToolhelp32Snapshot                                                         767EFD29 6 Bytes  JMP 7118000A 
.text           E:\FRST.exe[884] kernel32.dll!OpenMutexA                                                                       767F0412 6 Bytes  JMP 70C1000A 
.text           E:\FRST.exe[884] kernel32.dll!DeleteFileW                                                                      767F1737 6 Bytes  JMP 70A9000A 
.text           E:\FRST.exe[884] kernel32.dll!TerminateProcess                                                                 767F2C05 6 Bytes  JMP 71A4000A 
.text           E:\FRST.exe[884] kernel32.dll!VirtualProtect                                                                   767F2C15 6 Bytes  JMP 710F000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateMutexW                                                                     767F33D6 6 Bytes  JMP 70C4000A 
.text           E:\FRST.exe[884] kernel32.dll!DeleteFileA                                                                      767F43CA 6 Bytes  JMP 70AC000A 
.text           E:\FRST.exe[884] kernel32.dll!OpenProcess                                                                      767F54E7 6 Bytes  JMP 708B000A 
.text           E:\FRST.exe[884] kernel32.dll!MoveFileExW                                                                      767F8DF8 6 Bytes  JMP 708E000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateDirectoryW                                                                 767F99D1 6 Bytes  JMP 70DC000A 
.text           E:\FRST.exe[884] kernel32.dll!LoadResource                                                                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           E:\FRST.exe[884] kernel32.dll!DeviceIoControl                                                                  767FB96D 6 Bytes  JMP 70E8000A 
.text           E:\FRST.exe[884] kernel32.dll!VirtualAlloc                                                                     767FC42A 6 Bytes  JMP 7112000A 
.text           E:\FRST.exe[884] kernel32.dll!GetProcAddress                                                                   767FCC84 6 Bytes  JMP 7151000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateMutexA                                                                     767FD7C4 6 Bytes  JMP 70C7000A 
.text           E:\FRST.exe[884] kernel32.dll!LoadLibraryA                                                                     767FDC55 6 Bytes  JMP 719E000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateThread                                                                     767FDCB2 6 Bytes  JMP 7115000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateFileW                                                                      767FE895 6 Bytes  JMP 711E000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateFileA                                                                      767FEA51 6 Bytes  JMP 711B000A 
.text           E:\FRST.exe[884] kernel32.dll!WideCharToMultiByte                                                              767FEEEA 6 Bytes  JMP 709A000A 
.text           E:\FRST.exe[884] kernel32.dll!MultiByteToWideChar                                                              767FEEF7 6 Bytes  JMP 70BB000A 
.text           E:\FRST.exe[884] kernel32.dll!LoadLibraryW                                                                     767FEF32 6 Bytes  JMP 719B000A 
.text           E:\FRST.exe[884] kernel32.dll!WriteFile                                                                        768053DE 6 Bytes  JMP 70D9000A 
.text           E:\FRST.exe[884] kernel32.dll!GetVolumeInformationW                                                            76806191 6 Bytes  JMP 714B000A 
.text           E:\FRST.exe[884] kernel32.dll!OpenMutexW                                                                       76808ECD 6 Bytes  JMP 70BE000A 
.text           E:\FRST.exe[884] kernel32.dll!TerminateThread                                                                  7680BBF1 6 Bytes  JMP 7175000A 
.text           E:\FRST.exe[884] kernel32.dll!MoveFileExA                                                                      76813F68 6 Bytes  JMP 7091000A 
.text           E:\FRST.exe[884] kernel32.dll!GetVolumeInformationA                                                            76815CB2 6 Bytes  JMP 714E000A 
.text           E:\FRST.exe[884] kernel32.dll!CopyFileA                                                                        76816D4A 6 Bytes  JMP 70FA000A 
.text           E:\FRST.exe[884] kernel32.dll!MoveFileW                                                                        76816EC6 6 Bytes  JMP 7094000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateDirectoryA                                                                 768180D5 6 Bytes  JMP 70DF000A 
.text           E:\FRST.exe[884] kernel32.dll!WriteProcessMemory                                                               7681958F 6 Bytes  JMP 71A1000A 
.text           E:\FRST.exe[884] kernel32.dll!DebugActiveProcess                                                               7683738C 6 Bytes  JMP 7172000A 
.text           E:\FRST.exe[884] kernel32.dll!MoveFileA                                                                        7683BF49 6 Bytes  JMP 7097000A 
.text           E:\FRST.exe[884] kernel32.dll!CopyFileExA                                                                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           E:\FRST.exe[884] kernel32.dll!WinExec                                                                          7683ED9E 6 Bytes  JMP 717E000A 
.text           E:\FRST.exe[884] kernel32.dll!CreateRemoteThread                                                               7683FADB 6 Bytes  JMP 71AE000A 
.text           E:\FRST.exe[884] kernel32.dll!VirtualProtectEx                                                                 7683FD39 6 Bytes  JMP 7163000A 
.text           E:\FRST.exe[884] kernel32.dll!SetThreadContext                                                                 768408B3 6 Bytes  JMP 70D6000A
         
Hallo Schrauber,
wenn ich mein Gmer-File mit anderen Posts vergleiche erscheint mir die Größe etwas unheimlich.
Bevor ich noch weitere Teilstücke hochlade, warte ich auf eine Rückmeldung.

Gruß Regina


Alt 20.02.2014, 13:10   #6
schrauber
/// the machine
/// TB-Ausbilder
 

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



Gmer kann schon riesig sein. Bitte komplett posten.
__________________
--> Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht

Alt 21.02.2014, 22:03   #7
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



dann weiter:

gmer03_1196-1803.txt

Code:
ATTFilter
.text           E:\FRST.exe[884] ADVAPI32.dll!OpenSCManagerW                                                                   7671CA04 6 Bytes  JMP 7109000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyA                                                                      7671CBB5 6 Bytes  JMP 713C000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyA                                                                    7671CCA1 6 Bytes  JMP 7142000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueA                                                                   7671CDB2 5 Bytes  JMP 712A000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegDeleteKeyW                                                                    767211F2 6 Bytes  JMP 70A3000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyExA                                                                  767213E9 6 Bytes  JMP 7148000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegSetValueExA                                                                   76721433 6 Bytes  JMP 7130000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegSetValueExW                                                                   76721456 6 Bytes  JMP 712D000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyW                                                                    76721494 6 Bytes  JMP 713F000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyW                                                                      767223D9 6 Bytes  JMP 7139000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!OpenSCManagerA                                                                   76722B58 6 Bytes  JMP 710C000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!LookupPrivilegeValueA                                                            76723FCA 6 Bytes  JMP 70D0000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegCreateKeyExW                                                                  7672407E 6 Bytes  JMP 7145000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!AdjustTokenPrivileges                                                            7672410E 6 Bytes  JMP 70CA000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!LookupPrivilegeValueW                                                            76724133 6 Bytes  JMP 70CD000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!OpenProcessToken                                                                 76724284 6 Bytes  JMP 70D3000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueW                                                                   76724434 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueW + 4                                                               76724438 2 Bytes  [26, 71]
.text           E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyExW                                                                    7672460D 6 Bytes  JMP 7133000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueExW                                                                 7672462D 6 Bytes  JMP 7121000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegQueryValueExA                                                                 7672486F 6 Bytes  JMP 7124000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegOpenKeyExA                                                                    76724887 6 Bytes  JMP 7136000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!CreateServiceW                                                                   767370C4 6 Bytes  JMP 715A000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!RegDeleteKeyA                                                                    7673A84F 6 Bytes  JMP 70A6000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!CreateProcessAsUserA                                                             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] ADVAPI32.dll!CreateServiceA                                                                   76753264 6 Bytes  JMP 715D000A 
.text           E:\FRST.exe[884] ADVAPI32.dll!LsaRemoveAccountRights                                                           767589F1 6 Bytes  JMP 71A7000A 
.text           E:\FRST.exe[884] GDI32.dll!DeleteDC                                                                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] GDI32.dll!GetPixel                                                                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] GDI32.dll!CreateDCA                                                                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] GDI32.dll!CreateDCW                                                                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           E:\FRST.exe[884] USER32.dll!RegisterRawInputDevices                                                            76635B52 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] USER32.dll!RegisterRawInputDevices + 4                                                        76635B56 2 Bytes  [53, 71]
.text           E:\FRST.exe[884] USER32.dll!GetWindowTextA                                                                     76636EED 6 Bytes  JMP 7106000A 
.text           E:\FRST.exe[884] USER32.dll!GetAsyncKeyState                                                                   7663A256 6 Bytes  JMP 716C000A 
.text           E:\FRST.exe[884] USER32.dll!GetWindowTextW                                                                     7663B8C5 6 Bytes  JMP 7103000A 
.text           E:\FRST.exe[884] USER32.dll!CreateWindowExA                                                                    7663BF40 6 Bytes  JMP 70B2000A 
.text           E:\FRST.exe[884] USER32.dll!SetWindowsHookExW                                                                  7663E30C 6 Bytes  JMP 7195000A 
.text           E:\FRST.exe[884] USER32.dll!CreateWindowExW                                                                    7663EC7C 6 Bytes  JMP 70AF000A 
.text           E:\FRST.exe[884] USER32.dll!ShowWindow                                                                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] USER32.dll!ShowWindow + 4                                                                     7663F2AD 2 Bytes  [FF, 70]
.text           E:\FRST.exe[884] USER32.dll!SetWinEventHook                                                                    766424DC 6 Bytes  JMP 7157000A 
.text           E:\FRST.exe[884] USER32.dll!GetKeyState                                                                        76642B4D 6 Bytes  JMP 716F000A 
.text           E:\FRST.exe[884] USER32.dll!DrawTextW                                                                          76645B6A 6 Bytes  JMP 70B5000A 
.text           E:\FRST.exe[884] USER32.dll!SetWindowTextW                                                                     7664612B 6 Bytes  JMP 709D000A 
.text           E:\FRST.exe[884] USER32.dll!DrawTextA                                                                          7665AE29 6 Bytes  JMP 70B8000A 
.text           E:\FRST.exe[884] USER32.dll!SetWindowTextA                                                                     76660C5B 6 Bytes  JMP 70A0000A 
.text           E:\FRST.exe[884] USER32.dll!GetKeyboardState                                                                   76666946 3 Bytes  [FF, 25, 1E]
.text           E:\FRST.exe[884] USER32.dll!GetKeyboardState + 4                                                               7666694A 2 Bytes  [68, 71]
.text           E:\FRST.exe[884] USER32.dll!SetWindowsHookExA                                                                  76666D0C 6 Bytes  JMP 7198000A 
.text           E:\FRST.exe[884] USER32.dll!DdeConnect                                                                         7667EB5B 6 Bytes  JMP 7166000A 
.text           E:\FRST.exe[884] USER32.dll!EndTask                                                                            7667FD66 6 Bytes  JMP 717B000A 
.text           E:\FRST.exe[884] SHELL32.dll!ShellExecuteW                                                                     76E63C31 6 Bytes  JMP 7187000A 
.text           E:\FRST.exe[884] SHELL32.dll!Shell_NotifyIconW                                                                 76E70171 6 Bytes  JMP 70EB000A 
.text           E:\FRST.exe[884] SHELL32.dll!ShellExecuteExW                                                                   76E71DF6 6 Bytes  JMP 7181000A 
.text           E:\FRST.exe[884] SHELL32.dll!ShellExecuteEx                                                                    7709748A 6 Bytes  JMP 7184000A 
.text           E:\FRST.exe[884] SHELL32.dll!ShellExecuteA                                                                     77097525 6 Bytes  JMP 718A000A 
.text           E:\FRST.exe[884] SHELL32.dll!Shell_NotifyIcon                                                                  77098F9E 6 Bytes  JMP 70EE000A 
.text           E:\FRST.exe[884] WININET.dll!InternetOpenUrlA                                                                  7696E1C6 6 Bytes  JMP 70E5000A 
.text           E:\FRST.exe[884] WININET.dll!InternetOpenUrlW                                                                  769CDC08 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] ntdll.dll!NtAllocateVirtualMemory           77C85318 5 Bytes  JMP 00534850 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
.text           C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[904] ntdll.dll!NtCreateFile                      77C85608 5 Bytes  JMP 0054ECA0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [4A, 71]
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [75, 71] {JNZ 0x73}
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 707C000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 707F000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 705E000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7061000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 706D000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 708E000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7160000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7064000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 7067000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 706A000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717C000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[1028] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [3E, 71]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 7085000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 7082000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [CC, 70]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 7088000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 7070000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 708B000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 7073000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[1028] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 7179000A 
.text           C:\Windows\system32\svchost.exe[1028] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7127000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 7076000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [F3, 70]
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7079000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[1028] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7185000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 717F000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7182000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 7188000A 
.text           C:\Windows\system32\svchost.exe[1028] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\svchost.exe[1080] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\svchost.exe[1080] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\svchost.exe[1080] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\svchost.exe[1080] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [4D, 71]
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 709B000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 709E000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 707D000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7080000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7100000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 708C000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70AD000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7083000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 7086000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7089000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\svchost.exe[1112] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [41, 71]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70A4000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70A1000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [ED, 70]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70A7000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 708F000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70AA000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 7092000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\svchost.exe[1112] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\svchost.exe[1112] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 712A000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 7118000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 7095000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7127000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [14, 71] {ADC AL, 0x71}
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7098000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\svchost.exe[1112] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [54, 71]
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70EC000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70E6000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 710D000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70B0000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 7098000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 7104000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70B3000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 709B000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 707A000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 707D000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70D7000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70F2000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70DD000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7107000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7146000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70B6000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 710A000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 7113000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7110000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 7089000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70AA000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70C8000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7140000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70AD000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7080000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 7143000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70EF000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 7083000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70DA000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7086000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70E9000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7158000A 
.text           C:\Windows\system32\svchost.exe[1152] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70C5000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [48, 71]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70FB000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 7161000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70F8000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70A1000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 709E000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [F4, 70]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 714C000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70A4000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 708C000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70A7000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 708F000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [5D, 71]
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 715B000A 
.text           C:\Windows\system32\svchost.exe[1152] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[1152] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 70FE000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7131000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7137000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 711F000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 7092000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 713D000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7125000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7122000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 7134000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 712E000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 7101000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70BF000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 713A000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70B9000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70BC000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70C2000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [1B, 71]
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7128000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7116000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7119000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 712B000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 714F000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7095000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 7152000A 
.text           C:\Windows\system32\svchost.exe[1152] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70E0000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[1152] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70E3000A 
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [46, 71]
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [5E, 71]
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70C9000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70C3000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 4 Bytes  JMP FE001E25 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateToolhelp32Snapshot + 5                                767EFD2E 1 Byte  [70]
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 704C000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 7034000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 7196000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 70F6000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 704F000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 7037000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7014000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7017000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70B4000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70E4000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70BA000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 70F9000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7138000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 7052000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 7190000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 70FC000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 7105000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7102000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 7023000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 7046000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 718D000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70B1000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7132000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 7049000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 715C000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 701A000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 7135000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70D4000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 701D000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70B7000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 7193000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7159000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7020000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70C6000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 7165000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71A0000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 714A000A 
.text           C:\Windows\system32\svchost.exe[1176] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70AE000A 
.text           C:\Windows\system32\svchost.exe[1176] RPCRT4.dll!RpcServerRegisterIfEx                                         764608A4 5 Bytes  JMP 1001F870 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [3A, 71]
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70ED000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 7153000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70EA000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 703D000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 703A000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [E6, 70] {OUT 0x70, AL}
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 713E000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 7156000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 7040000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 7026000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 7043000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 7029000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [4F, 71]
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 714D000A 
.text           C:\Windows\system32\svchost.exe[1176] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 7162000A 
.text           C:\Windows\system32\svchost.exe[1176] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 70F0000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7123000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7129000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 7111000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 702E000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 712F000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7117000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7114000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 7126000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7120000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 70F3000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 706F000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 712C000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 7055000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 706C000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 7096000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [0D, 71]
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 711A000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7108000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 710B000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 711D000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 7141000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7031000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 7144000A 
.text           C:\Windows\system32\svchost.exe[1176] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 7199000A
         

Alt 21.02.2014, 22:05   #8
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer04_1804-2359.txt

Code:
ATTFilter
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 716E000A 
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70BD000A 
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7168000A 
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 716B000A 
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 7171000A 
.text           C:\Windows\system32\svchost.exe[1176] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70C0000A 
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[1272] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[1272] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[1272] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[1272] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[1308] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[1308] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[1308] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[1308] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70BF000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70C2000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7088000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 708B000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70C5000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70B9000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70BC000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 708E000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\spoolsv.exe[1608] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70B3000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70B6000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\spoolsv.exe[1608] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70C8000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\spoolsv.exe[1608] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\spoolsv.exe[1608] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [4A, 71]
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [62, 71]
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70AB000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 7093000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70AE000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 7096000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7075000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7078000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70C6000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70B1000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 718C000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7100000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 7084000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70A5000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 7189000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70C3000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70A8000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7160000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 707B000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 707E000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70C9000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 7190000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7081000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 7169000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[1644] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70C0000A 
.text           C:\Windows\system32\svchost.exe[1644] RPCRT4.dll!RpcServerRegisterIfEx                                         764608A4 5 Bytes  JMP 1001F870 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [3E, 71]
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 709C000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7183000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 7099000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 709F000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 7087000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70A2000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 708A000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7186000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[1644] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[1644] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7127000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 708D000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70BA000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70B4000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70B7000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70BD000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [11, 71]
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 7090000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[1644] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtAlpcSendWaitReceivePort                           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtClose                                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtLoadDriver                                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtLoadDriver + 4                                    77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtSuspendProcess                                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!NtSuspendProcess + 4                                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!LdrUnloadDll                                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ntdll.dll!LdrLoadDll                                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessW                                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessA                                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateProcessAsUserW                             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileW                                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileExW                                      767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateToolhelp32Snapshot                         767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenMutexA                                       767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeleteFileW                                      767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!TerminateProcess                                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualProtect                                   767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateMutexW                                     767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeleteFileA                                      767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenProcess                                      767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileExW                                      767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateDirectoryW                                 767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadResource                                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DeviceIoControl                                  767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualAlloc                                     767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetProcAddress                                   767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateMutexA                                     767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadLibraryA                                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateThread                                     767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateFileW                                      767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateFileA                                      767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WideCharToMultiByte                              767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MultiByteToWideChar                              767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!LoadLibraryW                                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WriteFile                                        768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetVolumeInformationW                            76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!OpenMutexW                                       76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!TerminateThread                                  7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileExA                                      76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!GetVolumeInformationA                            76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileA                                        76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileW                                        76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateDirectoryA                                 768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WriteProcessMemory                               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!DebugActiveProcess                               7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!MoveFileA                                        7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CopyFileExA                                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!WinExec                                          7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!CreateRemoteThread                               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!VirtualProtectEx                                 7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] kernel32.dll!SetThreadContext                                 768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenSCManagerW                                   7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyA                                      7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyA                                    7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueA                                   7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegDeleteKeyW                                    767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyExA                                  767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegSetValueExA                                   76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegSetValueExW                                   76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyW                                    76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyW                                      767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenSCManagerA                                   76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LookupPrivilegeValueA                            76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegCreateKeyExW                                  7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!AdjustTokenPrivileges                            7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LookupPrivilegeValueW                            76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!OpenProcessToken                                 76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueW                                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueW + 4                               76724438 2 Bytes  [26, 71]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyExW                                    7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueExW                                 7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegQueryValueExA                                 7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegOpenKeyExA                                    76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateServiceW                                   767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!RegDeleteKeyA                                    7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateProcessAsUserA                             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!CreateServiceA                                   76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] ADVAPI32.dll!LsaRemoveAccountRights                           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteW                                     76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!Shell_NotifyIconW                                 76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteExW                                   76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteEx                                    7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!ShellExecuteA                                     77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] SHELL32.dll!Shell_NotifyIcon                                  77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!DeleteDC                                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!GetPixel                                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!CreateDCA                                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] GDI32.dll!CreateDCW                                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!RegisterRawInputDevices                            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!RegisterRawInputDevices + 4                        76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetWindowTextA                                     76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetAsyncKeyState                                   7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetWindowTextW                                     7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!CreateWindowExA                                    7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowsHookExW                                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!CreateWindowExW                                    7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!ShowWindow                                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!ShowWindow + 4                                     7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWinEventHook                                    766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyState                                        76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DrawTextW                                          76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowTextW                                     7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DrawTextA                                          7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowTextA                                     76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyboardState                                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!GetKeyboardState + 4                               7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!SetWindowsHookExA                                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!DdeConnect                                         7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1712] USER32.dll!EndTask                                            7667FD66 6 Bytes  JMP 717B000A
         

Alt 21.02.2014, 22:06   #9
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer05_2360-2925.txt

Code:
ATTFilter
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtAlpcSendWaitReceivePort           77C85458 5 Bytes  JMP 003BB670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtClose                             77C85508 5 Bytes  JMP 003AD120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtLoadDriver                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtLoadDriver + 4                    77C85B9C 2 Bytes  [59, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtSuspendProcess                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!NtSuspendProcess + 4                77C868CC 2 Bytes  [71, 71] {JNO 0x73}
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!LdrUnloadDll                        77C9C8DE 7 Bytes  JMP 003AD240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ntdll.dll!LdrLoadDll                          77CA22AE 5 Bytes  JMP 003B7F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessW                   767B204D 5 Bytes  JMP 003B5070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessA                   767B2082 5 Bytes  JMP 003B5C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateProcessAsUserW             767E59FF 5 Bytes  JMP 003B3BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileW                        767E6B3F 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileExW                      767EB280 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateToolhelp32Snapshot         767EFD29 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenMutexA                       767F0412 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeleteFileW                      767F1737 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!TerminateProcess                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualProtect                   767F2C15 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateMutexW                     767F33D6 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeleteFileA                      767F43CA 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenProcess                      767F54E7 6 Bytes  JMP 7085000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileExW                      767F8DF8 6 Bytes  JMP 7088000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateDirectoryW                 767F99D1 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadResource                     767F9CBA 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DeviceIoControl                  767FB96D 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualAlloc                     767FC42A 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetProcAddress                   767FCC84 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateMutexA                     767FD7C4 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadLibraryA                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateThread                     767FDCB2 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateFileW                      767FE895 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateFileA                      767FEA51 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WideCharToMultiByte              767FEEEA 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MultiByteToWideChar              767FEEF7 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!LoadLibraryW                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WriteFile                        768053DE 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetVolumeInformationW            76806191 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!OpenMutexW                       76808ECD 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!TerminateThread                  7680BBF1 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileExA                      76813F68 6 Bytes  JMP 708B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!GetVolumeInformationA            76815CB2 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileA                        76816D4A 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileW                        76816EC6 6 Bytes  JMP 708E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateDirectoryA                 768180D5 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WriteProcessMemory               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!DebugActiveProcess               7683738C 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!MoveFileA                        7683BF49 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CopyFileExA                      7683CDA1 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!WinExec                          7683ED9E 6 Bytes  JMP 7178000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!CreateRemoteThread               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!VirtualProtectEx                 7683FD39 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] kernel32.dll!SetThreadContext                 768408B3 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!DeleteDC                            77DF6EAA 5 Bytes  JMP 003B8D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!GetPixel                            77DFC3D5 5 Bytes  JMP 003B8AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!CreateDCA                           77DFCCA9 5 Bytes  JMP 003B9E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] GDI32.dll!CreateDCW                           77DFCF79 5 Bytes  JMP 003B9D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!RegisterRawInputDevices            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!RegisterRawInputDevices + 4        76635B56 2 Bytes  [4D, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetWindowTextA                     76636EED 6 Bytes  JMP 7100000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetAsyncKeyState                   7663A256 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetWindowTextW                     7663B8C5 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!CreateWindowExA                    7663BF40 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowsHookExW                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!CreateWindowExW                    7663EC7C 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!ShowWindow                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!ShowWindow + 4                     7663F2AD 2 Bytes  [F9, 70]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWinEventHook                    766424DC 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyState                        76642B4D 6 Bytes  JMP 7169000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DrawTextW                          76645B6A 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowTextW                     7664612B 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DrawTextA                          7665AE29 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowTextA                     76660C5B 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyboardState                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!GetKeyboardState + 4               7666694A 2 Bytes  [62, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!SetWindowsHookExA                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!DdeConnect                         7667EB5B 6 Bytes  JMP 7160000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] USER32.dll!EndTask                            7667FD66 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenSCManagerW                   7671CA04 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyA                      7671CBB5 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyA                    7671CCA1 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueA                   7671CDB2 5 Bytes  JMP 7124000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegDeleteKeyW                    767211F2 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyExA                  767213E9 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegSetValueExA                   76721433 6 Bytes  JMP 712A000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegSetValueExW                   76721456 6 Bytes  JMP 7127000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyW                    76721494 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyW                      767223D9 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenSCManagerA                   76722B58 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LookupPrivilegeValueA            76723FCA 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegCreateKeyExW                  7672407E 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!AdjustTokenPrivileges            7672410E 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LookupPrivilegeValueW            76724133 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!OpenProcessToken                 76724284 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueW                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueW + 4               76724438 2 Bytes  [20, 71]
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyExW                    7672460D 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueExW                 7672462D 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegQueryValueExA                 7672486F 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegOpenKeyExA                    76724887 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateServiceW                   767370C4 6 Bytes  JMP 7154000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!RegDeleteKeyA                    7673A84F 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateProcessAsUserA             76752642 5 Bytes  JMP 003B44D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!CreateServiceA                   76753264 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] ADVAPI32.dll!LsaRemoveAccountRights           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteW                     76E63C31 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!Shell_NotifyIconW                 76E70171 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteExW                   76E71DF6 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteEx                    7709748A 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!ShellExecuteA                     77097525 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] SHELL32.dll!Shell_NotifyIcon                  77098F9E 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] WININET.dll!InternetOpenUrlA                  7696E1C6 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe[1760] WININET.dll!InternetOpenUrlW                  769CDC08 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7088000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 708B000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 708E000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[1860] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [F6, 70]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[1860] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[1860] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7100000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7127000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [1D, 71]
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[1860] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[1860] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort          77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtClose                            77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtLoadDriver                       77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtLoadDriver + 4                   77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtSuspendProcess                   77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!NtSuspendProcess + 4               77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!LdrUnloadDll                       77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ntdll.dll!LdrLoadDll                         77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessW                  767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessA                  767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateProcessAsUserW            767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileW                       767E6B3F 6 Bytes  JMP 7077000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileExW                     767EB280 6 Bytes  JMP 7071000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateToolhelp32Snapshot        767EFD29 6 Bytes  JMP 7098000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenMutexA                      767F0412 6 Bytes  JMP 7041000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeleteFileW                     767F1737 6 Bytes  JMP 7029000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!TerminateProcess                767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualProtect                  767F2C15 6 Bytes  JMP 708F000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateMutexW                    767F33D6 6 Bytes  JMP 7044000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeleteFileA                     767F43CA 6 Bytes  JMP 702C000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenProcess                     767F54E7 6 Bytes  JMP 700B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileExW                     767F8DF8 6 Bytes  JMP 700E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateDirectoryW                767F99D1 6 Bytes  JMP 705C000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadResource                    767F9CBA 6 Bytes  JMP 707D000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DeviceIoControl                 767FB96D 6 Bytes  JMP 7068000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualAlloc                    767FC42A 6 Bytes  JMP 7092000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetProcAddress                  767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateMutexA                    767FD7C4 6 Bytes  JMP 7047000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadLibraryA                    767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateThread                    767FDCB2 6 Bytes  JMP 7095000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateFileW                     767FE895 6 Bytes  JMP 709E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateFileA                     767FEA51 6 Bytes  JMP 709B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WideCharToMultiByte             767FEEEA 6 Bytes  JMP 701A000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MultiByteToWideChar             767FEEF7 6 Bytes  JMP 703B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!LoadLibraryW                    767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WriteFile                       768053DE 6 Bytes  JMP 7059000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetVolumeInformationW           76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!OpenMutexW                      76808ECD 6 Bytes  JMP 703E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!TerminateThread                 7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileExA                     76813F68 6 Bytes  JMP 7011000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!GetVolumeInformationA           76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileA                       76816D4A 6 Bytes  JMP 707A000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileW                       76816EC6 6 Bytes  JMP 7014000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateDirectoryA                768180D5 6 Bytes  JMP 705F000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WriteProcessMemory              7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!DebugActiveProcess              7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!MoveFileA                       7683BF49 6 Bytes  JMP 7017000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CopyFileExA                     7683CDA1 6 Bytes  JMP 7074000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!WinExec                         7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!CreateRemoteThread              7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!VirtualProtectEx                7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] kernel32.dll!SetThreadContext                768408B3 6 Bytes  JMP 7056000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenSCManagerW                  7671CA04 6 Bytes  JMP 7089000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyA                     7671CBB5 6 Bytes  JMP 70BC000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyA                   7671CCA1 6 Bytes  JMP 70C2000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueA                  7671CDB2 6 Bytes  JMP 70AA000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegDeleteKeyW                   767211F2 6 Bytes  JMP 7023000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyExA                 767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegSetValueExA                  76721433 6 Bytes  JMP 70B0000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegSetValueExW                  76721456 6 Bytes  JMP 70AD000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyW                   76721494 6 Bytes  JMP 70BF000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyW                     767223D9 6 Bytes  JMP 70B9000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenSCManagerA                  76722B58 6 Bytes  JMP 708C000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LookupPrivilegeValueA           76723FCA 6 Bytes  JMP 7050000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegCreateKeyExW                 7672407E 6 Bytes  JMP 70C5000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!AdjustTokenPrivileges           7672410E 6 Bytes  JMP 704A000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LookupPrivilegeValueW           76724133 6 Bytes  JMP 704D000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!OpenProcessToken                76724284 6 Bytes  JMP 7053000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueW                  76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueW + 4              76724438 2 Bytes  [A6, 70]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyExW                   7672460D 6 Bytes  JMP 70B3000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueExW                7672462D 6 Bytes  JMP 70A1000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegQueryValueExA                7672486F 6 Bytes  JMP 70A4000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegOpenKeyExA                   76724887 6 Bytes  JMP 70B6000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateServiceW                  767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!RegDeleteKeyA                   7673A84F 6 Bytes  JMP 7026000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateProcessAsUserA            76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!CreateServiceA                  76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] ADVAPI32.dll!LsaRemoveAccountRights          767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!RegisterRawInputDevices           76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!RegisterRawInputDevices + 4       76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetWindowTextA                    76636EED 6 Bytes  JMP 7086000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetAsyncKeyState                  7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetWindowTextW                    7663B8C5 6 Bytes  JMP 7083000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!CreateWindowExA                   7663BF40 6 Bytes  JMP 7032000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowsHookExW                 7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!CreateWindowExW                   7663EC7C 6 Bytes  JMP 702F000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!ShowWindow                        7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!ShowWindow + 4                    7663F2AD 2 Bytes  [7F, 70] {JG 0x72}
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWinEventHook                   766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyState                       76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DrawTextW                         76645B6A 6 Bytes  JMP 7035000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowTextW                    7664612B 6 Bytes  JMP 701D000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DrawTextA                         7665AE29 6 Bytes  JMP 7038000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowTextA                    76660C5B 6 Bytes  JMP 7020000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyboardState                  76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!GetKeyboardState + 4              7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!SetWindowsHookExA                 76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!DdeConnect                        7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] USER32.dll!EndTask                           7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!DeleteDC                           77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!GetPixel                           77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!CreateDCA                          77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] GDI32.dll!CreateDCW                          77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] WININET.dll!InternetOpenUrlA                 7696E1C6 6 Bytes  JMP 7065000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] WININET.dll!InternetOpenUrlW                 769CDC08 6 Bytes  JMP 7062000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteW                    76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!Shell_NotifyIconW                76E70171 6 Bytes  JMP 706B000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteExW                  76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteEx                   7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!ShellExecuteA                    77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[1892] SHELL32.dll!Shell_NotifyIcon                 77098F9E 6 Bytes  JMP 706E000A 
.text           C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!NtAlpcSendWaitReceivePort                            77C85458 5 Bytes  JMP 0031B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!NtClose                                              77C85508 5 Bytes  JMP 0030D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!LdrUnloadDll                                         77C9C8DE 7 Bytes  JMP 0030D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] ntdll.dll!LdrLoadDll                                           77CA22AE 5 Bytes  JMP 00317F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessW                                    767B204D 5 Bytes  JMP 00315070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessA                                    767B2082 5 Bytes  JMP 00315C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] kernel32.dll!CreateProcessAsUserW                              767E59FF 5 Bytes  JMP 00313BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!DeleteDC                                             77DF6EAA 5 Bytes  JMP 00318D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!GetPixel                                             77DFC3D5 5 Bytes  JMP 00318AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!CreateDCA                                            77DFCCA9 5 Bytes  JMP 00319E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] GDI32.dll!CreateDCW                                            77DFCF79 5 Bytes  JMP 00319D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFService.exe[1944] ADVAPI32.dll!CreateProcessAsUserA                              76752642 5 Bytes  JMP 003144D0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort                                           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtClose                                                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtLoadDriver                                                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtLoadDriver + 4                                                    77C85B9C 2 Bytes  [5F, 71]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtSuspendProcess                                                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!NtSuspendProcess + 4                                                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!LdrUnloadDll                                                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ntdll.dll!LdrLoadDll                                                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessW                                                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessA                                                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateProcessAsUserW                                             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileW                                                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileExW                                                      767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateToolhelp32Snapshot                                         767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenMutexA                                                       767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeleteFileW                                                      767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!TerminateProcess                                                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualProtect                                                   767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateMutexW                                                     767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeleteFileA                                                      767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenProcess                                                      767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileExW                                                      767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateDirectoryW                                                 767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadResource                                                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DeviceIoControl                                                  767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualAlloc                                                     767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetProcAddress                                                   767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateMutexA                                                     767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadLibraryA                                                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateThread                                                     767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateFileW                                                      767FE895 6 Bytes  JMP 711E000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateFileA                                                      767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WideCharToMultiByte                                              767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MultiByteToWideChar                                              767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!LoadLibraryW                                                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WriteFile                                                        768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetVolumeInformationW                                            76806191 6 Bytes  JMP 714B000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!OpenMutexW                                                       76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!TerminateThread                                                  7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileExA                                                      76813F68 6 Bytes  JMP 7097000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!GetVolumeInformationA                                            76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileA                                                        76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileW                                                        76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateDirectoryA                                                 768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WriteProcessMemory                                               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!DebugActiveProcess                                               7683738C 6 Bytes  JMP 7172000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!MoveFileA                                                        7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CopyFileExA                                                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!WinExec                                                          7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!CreateRemoteThread                                               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!VirtualProtectEx                                                 7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] kernel32.dll!SetThreadContext                                                 768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenSCManagerW                                                   7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyA                                                      7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyA                                                    7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueA                                                   7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegDeleteKeyW                                                    767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyExA                                                  767213E9 6 Bytes  JMP 7148000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegSetValueExA                                                   76721433 6 Bytes  JMP 7130000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegSetValueExW                                                   76721456 6 Bytes  JMP 712D000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyW                                                    76721494 6 Bytes  JMP 713F000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyW                                                      767223D9 6 Bytes  JMP 7139000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenSCManagerA                                                   76722B58 6 Bytes  JMP 710C000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LookupPrivilegeValueA                                            76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegCreateKeyExW                                                  7672407E 6 Bytes  JMP 7145000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!AdjustTokenPrivileges                                            7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LookupPrivilegeValueW                                            76724133 6 Bytes  JMP 70D3000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!OpenProcessToken                                                 76724284 6 Bytes  JMP 70D9000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueW                                                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueW + 4                                               76724438 2 Bytes  [26, 71]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyExW                                                    7672460D 6 Bytes  JMP 7133000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueExW                                                 7672462D 6 Bytes  JMP 7121000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegQueryValueExA                                                 7672486F 6 Bytes  JMP 7124000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegOpenKeyExA                                                    76724887 6 Bytes  JMP 7136000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateServiceW                                                   767370C4 6 Bytes  JMP 715A000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!RegDeleteKeyA                                                    7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateProcessAsUserA                                             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!CreateServiceA                                                   76753264 6 Bytes  JMP 715D000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] ADVAPI32.dll!LsaRemoveAccountRights                                           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!DeleteDC                                                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!GetPixel                                                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!CreateDCA                                                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] GDI32.dll!CreateDCW                                                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!RegisterRawInputDevices                                            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!RegisterRawInputDevices + 4                                        76635B56 2 Bytes  [53, 71]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetWindowTextA                                                     76636EED 6 Bytes  JMP 7106000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetAsyncKeyState                                                   7663A256 6 Bytes  JMP 716C000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetWindowTextW                                                     7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!CreateWindowExA                                                    7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowsHookExW                                                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!CreateWindowExW                                                    7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!ShowWindow                                                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!ShowWindow + 4                                                     7663F2AD 2 Bytes  [FF, 70]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWinEventHook                                                    766424DC 6 Bytes  JMP 7157000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyState                                                        76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DrawTextW                                                          76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowTextW                                                     7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DrawTextA                                                          7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowTextA                                                     76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyboardState                                                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!GetKeyboardState + 4                                               7666694A 2 Bytes  [68, 71]
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!SetWindowsHookExA                                                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!DdeConnect                                                         7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] USER32.dll!EndTask                                                            7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteW                                                     76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!Shell_NotifyIconW                                                 76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteExW                                                   76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteEx                                                    7709748A 6 Bytes  JMP 7184000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!ShellExecuteA                                                     77097525 6 Bytes  JMP 718A000A 
.text           C:\Tools\USBDLM\USBDLM.exe[1976] SHELL32.dll!Shell_NotifyIcon                                                  77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[2144] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[2144] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[2144] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[2144] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[2144] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A
         

Alt 21.02.2014, 22:07   #10
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer06_2926-3479.txt

Code:
ATTFilter
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtAlpcSendWaitReceivePort            77C85458 5 Bytes  JMP 003DB670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtClose                              77C85508 5 Bytes  JMP 003CD120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtLoadDriver                         77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtLoadDriver + 4                     77C85B9C 2 Bytes  [59, 71]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtSuspendProcess                     77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!NtSuspendProcess + 4                 77C868CC 2 Bytes  [71, 71] {JNO 0x73}
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!LdrUnloadDll                         77C9C8DE 7 Bytes  JMP 003CD240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ntdll.dll!LdrLoadDll                           77CA22AE 5 Bytes  JMP 003D7F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessW                    767B204D 5 Bytes  JMP 003D5070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessA                    767B2082 5 Bytes  JMP 003D5C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateProcessAsUserW              767E59FF 5 Bytes  JMP 003D3BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileW                         767E6B3F 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileExW                       767EB280 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateToolhelp32Snapshot          767EFD29 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenMutexA                        767F0412 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeleteFileW                       767F1737 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!TerminateProcess                  767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualProtect                    767F2C15 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateMutexW                      767F33D6 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeleteFileA                       767F43CA 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenProcess                       767F54E7 6 Bytes  JMP 7085000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileExW                       767F8DF8 6 Bytes  JMP 7088000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateDirectoryW                  767F99D1 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadResource                      767F9CBA 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DeviceIoControl                   767FB96D 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualAlloc                      767FC42A 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetProcAddress                    767FCC84 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateMutexA                      767FD7C4 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadLibraryA                      767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateThread                      767FDCB2 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateFileW                       767FE895 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateFileA                       767FEA51 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WideCharToMultiByte               767FEEEA 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MultiByteToWideChar               767FEEF7 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!LoadLibraryW                      767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WriteFile                         768053DE 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetVolumeInformationW             76806191 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!OpenMutexW                        76808ECD 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!TerminateThread                   7680BBF1 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileExA                       76813F68 6 Bytes  JMP 708B000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!GetVolumeInformationA             76815CB2 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileA                         76816D4A 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileW                         76816EC6 6 Bytes  JMP 708E000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateDirectoryA                  768180D5 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WriteProcessMemory                7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!DebugActiveProcess                7683738C 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!MoveFileA                         7683BF49 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CopyFileExA                       7683CDA1 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!WinExec                           7683ED9E 6 Bytes  JMP 7178000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!CreateRemoteThread                7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!VirtualProtectEx                  7683FD39 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] kernel32.dll!SetThreadContext                  768408B3 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!DeleteDC                             77DF6EAA 5 Bytes  JMP 003D8D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!GetPixel                             77DFC3D5 5 Bytes  JMP 003D8AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!CreateDCA                            77DFCCA9 5 Bytes  JMP 003D9E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] GDI32.dll!CreateDCW                            77DFCF79 5 Bytes  JMP 003D9D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!RegisterRawInputDevices             76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!RegisterRawInputDevices + 4         76635B56 2 Bytes  [4D, 71]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetWindowTextA                      76636EED 6 Bytes  JMP 7100000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetAsyncKeyState                    7663A256 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetWindowTextW                      7663B8C5 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!CreateWindowExA                     7663BF40 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowsHookExW                   7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!CreateWindowExW                     7663EC7C 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!ShowWindow                          7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!ShowWindow + 4                      7663F2AD 2 Bytes  [F9, 70]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWinEventHook                     766424DC 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyState                         76642B4D 6 Bytes  JMP 7169000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DrawTextW                           76645B6A 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowTextW                      7664612B 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DrawTextA                           7665AE29 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowTextA                      76660C5B 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyboardState                    76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!GetKeyboardState + 4                7666694A 2 Bytes  [62, 71]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!SetWindowsHookExA                   76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!DdeConnect                          7667EB5B 6 Bytes  JMP 7160000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] USER32.dll!EndTask                             7667FD66 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenSCManagerW                    7671CA04 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyA                       7671CBB5 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyA                     7671CCA1 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueA                    7671CDB2 5 Bytes  JMP 7124000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegDeleteKeyW                     767211F2 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyExA                   767213E9 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegSetValueExA                    76721433 6 Bytes  JMP 712A000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegSetValueExW                    76721456 6 Bytes  JMP 7127000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyW                     76721494 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyW                       767223D9 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenSCManagerA                    76722B58 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LookupPrivilegeValueA             76723FCA 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegCreateKeyExW                   7672407E 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!AdjustTokenPrivileges             7672410E 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LookupPrivilegeValueW             76724133 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!OpenProcessToken                  76724284 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueW                    76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueW + 4                76724438 2 Bytes  [20, 71]
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyExW                     7672460D 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueExW                  7672462D 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegQueryValueExA                  7672486F 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegOpenKeyExA                     76724887 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateServiceW                    767370C4 6 Bytes  JMP 7154000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!RegDeleteKeyA                     7673A84F 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateProcessAsUserA              76752642 5 Bytes  JMP 003D44D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!CreateServiceA                    76753264 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] ADVAPI32.dll!LsaRemoveAccountRights            767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteW                      76E63C31 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!Shell_NotifyIconW                  76E70171 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteExW                    76E71DF6 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteEx                     7709748A 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!ShellExecuteA                      77097525 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] SHELL32.dll!Shell_NotifyIcon                   77098F9E 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] WININET.dll!InternetOpenUrlA                   7696E1C6 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe[2152] WININET.dll!InternetOpenUrlW                   769CDC08 6 Bytes  JMP 70DC000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtAlpcSendWaitReceivePort                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtClose                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtLoadDriver                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtLoadDriver + 4                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtSuspendProcess                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!NtSuspendProcess + 4                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!LdrUnloadDll                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ntdll.dll!LdrLoadDll                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessW                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessA                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateProcessAsUserW                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileW                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileExW                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateToolhelp32Snapshot                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenMutexA                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeleteFileW                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!TerminateProcess                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualProtect                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateMutexW                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeleteFileA                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenProcess                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileExW                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateDirectoryW                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadResource                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DeviceIoControl                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualAlloc                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetProcAddress                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateMutexA                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadLibraryA                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateThread                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateFileW                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateFileA                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WideCharToMultiByte                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MultiByteToWideChar                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!LoadLibraryW                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WriteFile                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetVolumeInformationW                      76806191 6 Bytes  JMP 714B000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!OpenMutexW                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!TerminateThread                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileExA                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!GetVolumeInformationA                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileA                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileW                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateDirectoryA                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WriteProcessMemory                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!DebugActiveProcess                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!MoveFileA                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CopyFileExA                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!WinExec                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!CreateRemoteThread                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!VirtualProtectEx                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] kernel32.dll!SetThreadContext                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!RegisterRawInputDevices                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!RegisterRawInputDevices + 4                  76635B56 2 Bytes  [53, 71]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetWindowTextA                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetAsyncKeyState                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetWindowTextW                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!CreateWindowExA                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowsHookExW                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!CreateWindowExW                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!ShowWindow                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!ShowWindow + 4                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWinEventHook                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyState                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DrawTextW                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowTextW                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DrawTextA                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowTextA                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyboardState                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!GetKeyboardState + 4                         7666694A 2 Bytes  [68, 71]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!SetWindowsHookExA                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!DdeConnect                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] USER32.dll!EndTask                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!DeleteDC                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!GetPixel                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!CreateDCA                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] GDI32.dll!CreateDCW                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenSCManagerW                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyA                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyA                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueA                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegDeleteKeyW                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyExA                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegSetValueExA                             76721433 6 Bytes  JMP 7130000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegSetValueExW                             76721456 6 Bytes  JMP 712D000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyW                              76721494 6 Bytes  JMP 713F000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyW                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenSCManagerA                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LookupPrivilegeValueA                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegCreateKeyExW                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!AdjustTokenPrivileges                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LookupPrivilegeValueW                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!OpenProcessToken                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueW                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueW + 4                         76724438 2 Bytes  [26, 71]
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyExW                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueExW                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegQueryValueExA                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegOpenKeyExA                              76724887 6 Bytes  JMP 7136000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateServiceW                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!RegDeleteKeyA                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateProcessAsUserA                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!CreateServiceA                             76753264 6 Bytes  JMP 715D000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] ADVAPI32.dll!LsaRemoveAccountRights                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteW                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!Shell_NotifyIconW                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteExW                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteEx                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!ShellExecuteA                               77097525 6 Bytes  JMP 718A000A 
.text           C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE[2408] SHELL32.dll!Shell_NotifyIcon                            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort                                       77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtClose                                                         77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtLoadDriver                                                    77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtLoadDriver + 4                                                77C85B9C 2 Bytes  [5F, 71]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtSuspendProcess                                                77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!NtSuspendProcess + 4                                            77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!LdrUnloadDll                                                    77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ntdll.dll!LdrLoadDll                                                      77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessW                                               767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessA                                               767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateProcessAsUserW                                         767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileW                                                    767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileExW                                                  767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateToolhelp32Snapshot                                     767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenMutexA                                                   767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeleteFileW                                                  767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!TerminateProcess                                             767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualProtect                                               767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateMutexW                                                 767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeleteFileA                                                  767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenProcess                                                  767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileExW                                                  767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateDirectoryW                                             767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadResource                                                 767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DeviceIoControl                                              767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualAlloc                                                 767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetProcAddress                                               767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateMutexA                                                 767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadLibraryA                                                 767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateThread                                                 767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateFileW                                                  767FE895 6 Bytes  JMP 711E000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateFileA                                                  767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WideCharToMultiByte                                          767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MultiByteToWideChar                                          767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!LoadLibraryW                                                 767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WriteFile                                                    768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetVolumeInformationW                                        76806191 6 Bytes  JMP 714B000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!OpenMutexW                                                   76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!TerminateThread                                              7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileExA                                                  76813F68 6 Bytes  JMP 7097000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!GetVolumeInformationA                                        76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileA                                                    76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileW                                                    76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateDirectoryA                                             768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WriteProcessMemory                                           7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!DebugActiveProcess                                           7683738C 6 Bytes  JMP 7172000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!MoveFileA                                                    7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CopyFileExA                                                  7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!WinExec                                                      7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!CreateRemoteThread                                           7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!VirtualProtectEx                                             7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] kernel32.dll!SetThreadContext                                             768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!DeleteDC                                                        77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!GetPixel                                                        77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!CreateDCA                                                       77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] GDI32.dll!CreateDCW                                                       77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!RegisterRawInputDevices                                        76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!RegisterRawInputDevices + 4                                    76635B56 2 Bytes  [53, 71]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetWindowTextA                                                 76636EED 6 Bytes  JMP 7106000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetAsyncKeyState                                               7663A256 6 Bytes  JMP 716C000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetWindowTextW                                                 7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!CreateWindowExA                                                7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowsHookExW                                              7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!CreateWindowExW                                                7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!ShowWindow                                                     7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!ShowWindow + 4                                                 7663F2AD 2 Bytes  [FF, 70]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWinEventHook                                                766424DC 6 Bytes  JMP 7157000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyState                                                    76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DrawTextW                                                      76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowTextW                                                 7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DrawTextA                                                      7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowTextA                                                 76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyboardState                                               76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!GetKeyboardState + 4                                           7666694A 2 Bytes  [68, 71]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!SetWindowsHookExA                                              76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!DdeConnect                                                     7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] USER32.dll!EndTask                                                        7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenSCManagerW                                               7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyA                                                  7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyA                                                7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueA                                               7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegDeleteKeyW                                                767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyExA                                              767213E9 6 Bytes  JMP 7148000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegSetValueExA                                               76721433 6 Bytes  JMP 7130000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegSetValueExW                                               76721456 6 Bytes  JMP 712D000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyW                                                76721494 6 Bytes  JMP 713F000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyW                                                  767223D9 6 Bytes  JMP 7139000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenSCManagerA                                               76722B58 6 Bytes  JMP 710C000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LookupPrivilegeValueA                                        76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegCreateKeyExW                                              7672407E 6 Bytes  JMP 7145000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!AdjustTokenPrivileges                                        7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LookupPrivilegeValueW                                        76724133 6 Bytes  JMP 70D3000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!OpenProcessToken                                             76724284 6 Bytes  JMP 70D9000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueW                                               76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueW + 4                                           76724438 2 Bytes  [26, 71]
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyExW                                                7672460D 6 Bytes  JMP 7133000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueExW                                             7672462D 6 Bytes  JMP 7121000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegQueryValueExA                                             7672486F 6 Bytes  JMP 7124000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegOpenKeyExA                                                76724887 6 Bytes  JMP 7136000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateServiceW                                               767370C4 6 Bytes  JMP 715A000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!RegDeleteKeyA                                                7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateProcessAsUserA                                         76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!CreateServiceA                                               76753264 6 Bytes  JMP 715D000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] ADVAPI32.dll!LsaRemoveAccountRights                                       767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteW                                                 76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!Shell_NotifyIconW                                             76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteExW                                               76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteEx                                                7709748A 6 Bytes  JMP 7184000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!ShellExecuteA                                                 77097525 6 Bytes  JMP 718A000A 
.text           C:\Tools\USBDLM\USBDLM_usr.exe[2564] SHELL32.dll!Shell_NotifyIcon                                              77098F9E 6 Bytes  JMP 70EE000A 
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtAlpcSendWaitReceivePort                                                    77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtClose                                                                      77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtLoadDriver                                                                 77C85B98 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtLoadDriver + 4                                                             77C85B9C 2 Bytes  [5F, 71]
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtSuspendProcess                                                             77C868C8 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] ntdll.dll!NtSuspendProcess + 4                                                         77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           E:\Gmer-19357.exe[2612] ntdll.dll!LdrUnloadDll                                                                 77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] ntdll.dll!LdrLoadDll                                                                   77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessW                                                            767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessA                                                            767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateProcessAsUserW                                                      767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileW                                                                 767E6B3F 6 Bytes  JMP 70F7000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileExW                                                               767EB280 6 Bytes  JMP 70F1000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateToolhelp32Snapshot                                                  767EFD29 6 Bytes  JMP 7118000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!OpenMutexA                                                                767F0412 6 Bytes  JMP 70C7000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!DeleteFileW                                                               767F1737 6 Bytes  JMP 70AF000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!TerminateProcess                                                          767F2C05 6 Bytes  JMP 71A4000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!VirtualProtect                                                            767F2C15 6 Bytes  JMP 710F000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateMutexW                                                              767F33D6 6 Bytes  JMP 70CA000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!DeleteFileA                                                               767F43CA 6 Bytes  JMP 70B2000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!OpenProcess                                                               767F54E7 6 Bytes  JMP 7091000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileExW                                                               767F8DF8 6 Bytes  JMP 7094000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateDirectoryW                                                          767F99D1 6 Bytes  JMP 70E2000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!LoadResource                                                              767F9CBA 6 Bytes  JMP 70FD000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!DeviceIoControl                                                           767FB96D 6 Bytes  JMP 70E8000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!VirtualAlloc                                                              767FC42A 6 Bytes  JMP 7112000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!GetProcAddress                                                            767FCC84 6 Bytes  JMP 7151000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateMutexA                                                              767FD7C4 6 Bytes  JMP 70CD000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!LoadLibraryA                                                              767FDC55 6 Bytes  JMP 719E000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateThread                                                              767FDCB2 6 Bytes  JMP 7115000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateFileW                                                               767FE895 6 Bytes  JMP 711E000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateFileA                                                               767FEA51 6 Bytes  JMP 711B000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!WideCharToMultiByte                                                       767FEEEA 6 Bytes  JMP 70A0000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!MultiByteToWideChar                                                       767FEEF7 6 Bytes  JMP 70C1000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!LoadLibraryW                                                              767FEF32 6 Bytes  JMP 719B000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!WriteFile                                                                 768053DE 6 Bytes  JMP 70DF000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!GetVolumeInformationW                                                     76806191 6 Bytes  JMP 714B000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!OpenMutexW                                                                76808ECD 6 Bytes  JMP 70C4000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!TerminateThread                                                           7680BBF1 6 Bytes  JMP 7175000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileExA                                                               76813F68 6 Bytes  JMP 7097000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!GetVolumeInformationA                                                     76815CB2 6 Bytes  JMP 714E000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileA                                                                 76816D4A 6 Bytes  JMP 70FA000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileW                                                                 76816EC6 6 Bytes  JMP 709A000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateDirectoryA                                                          768180D5 6 Bytes  JMP 70E5000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!WriteProcessMemory                                                        7681958F 6 Bytes  JMP 71A1000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!DebugActiveProcess                                                        7683738C 6 Bytes  JMP 7172000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!MoveFileA                                                                 7683BF49 6 Bytes  JMP 709D000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CopyFileExA                                                               7683CDA1 6 Bytes  JMP 70F4000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!WinExec                                                                   7683ED9E 6 Bytes  JMP 717E000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!CreateRemoteThread                                                        7683FADB 6 Bytes  JMP 71AE000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!VirtualProtectEx                                                          7683FD39 6 Bytes  JMP 7163000A 
.text           E:\Gmer-19357.exe[2612] kernel32.dll!SetThreadContext                                                          768408B3 6 Bytes  JMP 70DC000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!RegisterRawInputDevices                                                     76635B52 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] USER32.dll!RegisterRawInputDevices + 4                                                 76635B56 2 Bytes  [53, 71]
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetWindowTextA                                                              76636EED 6 Bytes  JMP 7106000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetAsyncKeyState                                                            7663A256 6 Bytes  JMP 716C000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetWindowTextW                                                              7663B8C5 6 Bytes  JMP 7103000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!CreateWindowExA                                                             7663BF40 6 Bytes  JMP 70B8000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!SetWindowsHookExW                                                           7663E30C 6 Bytes  JMP 7195000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!CreateWindowExW                                                             7663EC7C 6 Bytes  JMP 70B5000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!ShowWindow                                                                  7663F2A9 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] USER32.dll!ShowWindow + 4                                                              7663F2AD 2 Bytes  [FF, 70]
.text           E:\Gmer-19357.exe[2612] USER32.dll!SetWinEventHook                                                             766424DC 6 Bytes  JMP 7157000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetKeyState                                                                 76642B4D 6 Bytes  JMP 716F000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!DrawTextW                                                                   76645B6A 6 Bytes  JMP 70BB000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!SetWindowTextW                                                              7664612B 6 Bytes  JMP 70A3000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!DrawTextA                                                                   7665AE29 6 Bytes  JMP 70BE000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!SetWindowTextA                                                              76660C5B 6 Bytes  JMP 70A6000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetKeyboardState                                                            76666946 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] USER32.dll!GetKeyboardState + 4                                                        7666694A 2 Bytes  [68, 71]
.text           E:\Gmer-19357.exe[2612] USER32.dll!SetWindowsHookExA                                                           76666D0C 6 Bytes  JMP 7198000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!DdeConnect                                                                  7667EB5B 6 Bytes  JMP 7166000A 
.text           E:\Gmer-19357.exe[2612] USER32.dll!EndTask                                                                     7667FD66 6 Bytes  JMP 717B000A 
.text           E:\Gmer-19357.exe[2612] GDI32.dll!DeleteDC                                                                     77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] GDI32.dll!GetPixel                                                                     77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] GDI32.dll!CreateDCA                                                                    77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] GDI32.dll!CreateDCW                                                                    77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenSCManagerW                                                            7671CA04 6 Bytes  JMP 7109000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyA                                                               7671CBB5 6 Bytes  JMP 713C000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyA                                                             7671CCA1 6 Bytes  JMP 7142000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueA                                                            7671CDB2 5 Bytes  JMP 712A000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegDeleteKeyW                                                             767211F2 6 Bytes  JMP 70A9000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyExA                                                           767213E9 6 Bytes  JMP 7148000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegSetValueExA                                                            76721433 6 Bytes  JMP 7130000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegSetValueExW                                                            76721456 6 Bytes  JMP 712D000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyW                                                             76721494 6 Bytes  JMP 713F000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyW                                                               767223D9 6 Bytes  JMP 7139000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenSCManagerA                                                            76722B58 6 Bytes  JMP 710C000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!LookupPrivilegeValueA                                                     76723FCA 6 Bytes  JMP 70D6000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegCreateKeyExW                                                           7672407E 6 Bytes  JMP 7145000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!AdjustTokenPrivileges                                                     7672410E 6 Bytes  JMP 70D0000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!LookupPrivilegeValueW                                                     76724133 6 Bytes  JMP 70D3000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!OpenProcessToken                                                          76724284 6 Bytes  JMP 70D9000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueW                                                            76724434 3 Bytes  [FF, 25, 1E]
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueW + 4                                                        76724438 2 Bytes  [26, 71]
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyExW                                                             7672460D 6 Bytes  JMP 7133000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueExW                                                          7672462D 6 Bytes  JMP 7121000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegQueryValueExA                                                          7672486F 6 Bytes  JMP 7124000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegOpenKeyExA                                                             76724887 6 Bytes  JMP 7136000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateServiceW                                                            767370C4 6 Bytes  JMP 715A000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!RegDeleteKeyA                                                             7673A84F 6 Bytes  JMP 70AC000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateProcessAsUserA                                                      76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!CreateServiceA                                                            76753264 6 Bytes  JMP 715D000A 
.text           E:\Gmer-19357.exe[2612] ADVAPI32.dll!LsaRemoveAccountRights                                                    767589F1 6 Bytes  JMP 71A7000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteW                                                              76E63C31 6 Bytes  JMP 7187000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!Shell_NotifyIconW                                                          76E70171 6 Bytes  JMP 70EB000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteExW                                                            76E71DF6 6 Bytes  JMP 7181000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteEx                                                             7709748A 6 Bytes  JMP 7184000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!ShellExecuteA                                                              77097525 6 Bytes  JMP 718A000A 
.text           E:\Gmer-19357.exe[2612] SHELL32.dll!Shell_NotifyIcon                                                           77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtAlpcSendWaitReceivePort                                              77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtClose                                                                77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtLoadDriver                                                           77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtLoadDriver + 4                                                       77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtSuspendProcess                                                       77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] ntdll.dll!NtSuspendProcess + 4                                                   77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\explorer.exe[3028] ntdll.dll!LdrUnloadDll                                                           77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] ntdll.dll!LdrLoadDll                                                             77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessW                                                      767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessA                                                      767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateProcessAsUserW                                                767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileW                                                           767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileExW                                                         767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateToolhelp32Snapshot                                            767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!OpenMutexA                                                          767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!DeleteFileW                                                         767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!TerminateProcess                                                    767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!VirtualProtect                                                      767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateMutexW                                                        767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!DeleteFileA                                                         767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!OpenProcess                                                         767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileExW                                                         767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateDirectoryW                                                    767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!LoadResource                                                        767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!DeviceIoControl                                                     767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!VirtualAlloc                                                        767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!GetProcAddress                                                      767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateMutexA                                                        767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!LoadLibraryA                                                        767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateThread                                                        767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateFileW                                                         767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateFileA                                                         767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!WideCharToMultiByte                                                 767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!MultiByteToWideChar                                                 767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!LoadLibraryW                                                        767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!WriteFile                                                           768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!GetVolumeInformationW                                               76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!OpenMutexW                                                          76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!TerminateThread                                                     7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileExA                                                         76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!GetVolumeInformationA                                               76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileA                                                           76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileW                                                           76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateDirectoryA                                                    768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!WriteProcessMemory                                                  7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!DebugActiveProcess                                                  7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!MoveFileA                                                           7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CopyFileExA                                                         7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!WinExec                                                             7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!CreateRemoteThread                                                  7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!VirtualProtectEx                                                    7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\explorer.exe[3028] kernel32.dll!SetThreadContext                                                    768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenSCManagerW                                                      7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyA                                                         7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyA                                                       7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueA                                                      7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegDeleteKeyW                                                       767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyExA                                                     767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegSetValueExA                                                      76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegSetValueExW                                                      76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyW                                                       76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyW                                                         767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenSCManagerA                                                      76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!LookupPrivilegeValueA                                               76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegCreateKeyExW                                                     7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!AdjustTokenPrivileges                                               7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!LookupPrivilegeValueW                                               76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!OpenProcessToken                                                    76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueW                                                      76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueW + 4                                                  76724438 2 Bytes  [26, 71]
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyExW                                                       7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueExW                                                    7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegQueryValueExA                                                    7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegOpenKeyExA                                                       76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateServiceW                                                      767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!RegDeleteKeyA                                                       7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateProcessAsUserA                                                76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!CreateServiceA                                                      76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\explorer.exe[3028] ADVAPI32.dll!LsaRemoveAccountRights                                              767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\explorer.exe[3028] GDI32.dll!DeleteDC                                                               77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] GDI32.dll!GetPixel                                                               77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] GDI32.dll!CreateDCA                                                              77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] GDI32.dll!CreateDCW                                                              77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\explorer.exe[3028] USER32.dll!RegisterRawInputDevices                                               76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] USER32.dll!RegisterRawInputDevices + 4                                           76635B56 2 Bytes  [53, 71]
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetWindowTextA                                                        76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetAsyncKeyState                                                      7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetWindowTextW                                                        7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!CreateWindowExA                                                       7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!SetWindowsHookExW                                                     7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!CreateWindowExW                                                       7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!ShowWindow                                                            7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] USER32.dll!ShowWindow + 4                                                        7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\explorer.exe[3028] USER32.dll!SetWinEventHook                                                       766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetKeyState                                                           76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!DrawTextW                                                             76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!SetWindowTextW                                                        7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!DrawTextA                                                             7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!SetWindowTextA                                                        76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetKeyboardState                                                      76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\explorer.exe[3028] USER32.dll!GetKeyboardState + 4                                                  7666694A 2 Bytes  [68, 71]
.text           C:\Windows\explorer.exe[3028] USER32.dll!SetWindowsHookExA                                                     76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!DdeConnect                                                            7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\explorer.exe[3028] USER32.dll!EndTask                                                               7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteW                                                        76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!Shell_NotifyIconW                                                    76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteExW                                                      76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteEx                                                       7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!ShellExecuteA                                                        77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\explorer.exe[3028] SHELL32.dll!Shell_NotifyIcon                                                     77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\explorer.exe[3028] WININET.dll!InternetOpenUrlA                                                     7696E1C6 6 Bytes  JMP 708E000A 
.text           C:\Windows\explorer.exe[3028] WININET.dll!InternetOpenUrlW                                                     769CDC08 6 Bytes  JMP 708B000A
         

Alt 21.02.2014, 22:08   #11
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer07_3480-4033.txt

Code:
ATTFilter
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\svchost.exe[3232] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\svchost.exe[3232] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\svchost.exe[3232] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\svchost.exe[3232] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\svchost.exe[3232] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\svchost.exe[3308] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\svchost.exe[3308] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\svchost.exe[3308] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\svchost.exe[3308] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\svchost.exe[3308] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\svchost.exe[3308] WININET.dll!InternetOpenUrlA                                             7696E1C6 6 Bytes  JMP 708E000A 
.text           C:\Windows\System32\svchost.exe[3308] WININET.dll!InternetOpenUrlW                                             769CDC08 6 Bytes  JMP 708B000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtAlpcSendWaitReceivePort                                77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtClose                                                  77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtLoadDriver                                             77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtLoadDriver + 4                                         77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtSuspendProcess                                         77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!NtSuspendProcess + 4                                     77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!LdrUnloadDll                                             77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] ntdll.dll!LdrLoadDll                                               77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessW                                        767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessA                                        767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateProcessAsUserW                                  767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileW                                             767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileExW                                           767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateToolhelp32Snapshot                              767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenMutexA                                            767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeleteFileW                                           767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!TerminateProcess                                      767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualProtect                                        767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateMutexW                                          767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeleteFileA                                           767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenProcess                                           767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileExW                                           767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateDirectoryW                                      767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadResource                                          767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DeviceIoControl                                       767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualAlloc                                          767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetProcAddress                                        767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateMutexA                                          767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadLibraryA                                          767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateThread                                          767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateFileW                                           767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateFileA                                           767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WideCharToMultiByte                                   767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MultiByteToWideChar                                   767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!LoadLibraryW                                          767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WriteFile                                             768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetVolumeInformationW                                 76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!OpenMutexW                                            76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!TerminateThread                                       7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileExA                                           76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!GetVolumeInformationA                                 76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileA                                             76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileW                                             76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateDirectoryA                                      768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WriteProcessMemory                                    7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!DebugActiveProcess                                    7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!MoveFileA                                             7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CopyFileExA                                           7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!WinExec                                               7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!CreateRemoteThread                                    7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!VirtualProtectEx                                      7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] kernel32.dll!SetThreadContext                                      768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenSCManagerW                                        7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyA                                           7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyA                                         7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueA                                        7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegDeleteKeyW                                         767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyExA                                       767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegSetValueExA                                        76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegSetValueExW                                        76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyW                                         76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyW                                           767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenSCManagerA                                        76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LookupPrivilegeValueA                                 76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegCreateKeyExW                                       7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!AdjustTokenPrivileges                                 7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LookupPrivilegeValueW                                 76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!OpenProcessToken                                      76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueW                                        76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueW + 4                                    76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyExW                                         7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueExW                                      7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegQueryValueExA                                      7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegOpenKeyExA                                         76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateServiceW                                        767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!RegDeleteKeyA                                         7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateProcessAsUserA                                  76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!CreateServiceA                                        76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] ADVAPI32.dll!LsaRemoveAccountRights                                767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!RegisterRawInputDevices                                 76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!RegisterRawInputDevices + 4                             76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetWindowTextA                                          76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetAsyncKeyState                                        7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetWindowTextW                                          7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!CreateWindowExA                                         7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowsHookExW                                       7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!CreateWindowExW                                         7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!ShowWindow                                              7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!ShowWindow + 4                                          7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWinEventHook                                         766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyState                                             76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DrawTextW                                               76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowTextW                                          7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DrawTextA                                               7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowTextA                                          76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyboardState                                        76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!GetKeyboardState + 4                                    7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!SetWindowsHookExA                                       76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!DdeConnect                                              7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] USER32.dll!EndTask                                                 7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!DeleteDC                                                 77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!GetPixel                                                 77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!CreateDCA                                                77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] GDI32.dll!CreateDCW                                                77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteW                                          76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!Shell_NotifyIconW                                      76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteExW                                        76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteEx                                         7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!ShellExecuteA                                          77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\SearchIndexer.exe[3396] SHELL32.dll!Shell_NotifyIcon                                       77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtAlpcSendWaitReceivePort                                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtClose                                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtLoadDriver                                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtLoadDriver + 4                                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtSuspendProcess                                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!NtSuspendProcess + 4                                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!LdrUnloadDll                                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] ntdll.dll!LdrLoadDll                                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessW                                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessA                                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateProcessAsUserW                                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileW                                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileExW                                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateToolhelp32Snapshot                                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenMutexA                                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeleteFileW                                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!TerminateProcess                                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualProtect                                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateMutexW                                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeleteFileA                                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenProcess                                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileExW                                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateDirectoryW                                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadResource                                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DeviceIoControl                                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualAlloc                                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetProcAddress                                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateMutexA                                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadLibraryA                                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateThread                                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateFileW                                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateFileA                                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WideCharToMultiByte                                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MultiByteToWideChar                                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!LoadLibraryW                                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WriteFile                                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetVolumeInformationW                                      76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!OpenMutexW                                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!TerminateThread                                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileExA                                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!GetVolumeInformationA                                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileA                                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileW                                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateDirectoryA                                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WriteProcessMemory                                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!DebugActiveProcess                                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!MoveFileA                                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CopyFileExA                                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!WinExec                                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!CreateRemoteThread                                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!VirtualProtectEx                                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\taskhost.exe[3624] kernel32.dll!SetThreadContext                                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\taskhost.exe[3624] GDI32.dll!DeleteDC                                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] GDI32.dll!GetPixel                                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] GDI32.dll!CreateDCA                                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] GDI32.dll!CreateDCW                                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!RegisterRawInputDevices                                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!RegisterRawInputDevices + 4                                  76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetWindowTextA                                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetAsyncKeyState                                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetWindowTextW                                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!CreateWindowExA                                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowsHookExW                                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!CreateWindowExW                                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!ShowWindow                                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!ShowWindow + 4                                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWinEventHook                                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyState                                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!DrawTextW                                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowTextW                                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!DrawTextA                                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowTextA                                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyboardState                                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!GetKeyboardState + 4                                         7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!SetWindowsHookExA                                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!DdeConnect                                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\taskhost.exe[3624] USER32.dll!EndTask                                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenSCManagerW                                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyA                                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyA                                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueA                                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegDeleteKeyW                                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyExA                                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegSetValueExA                                             76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegSetValueExW                                             76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyW                                              76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyW                                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenSCManagerA                                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LookupPrivilegeValueA                                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegCreateKeyExW                                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!AdjustTokenPrivileges                                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LookupPrivilegeValueW                                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!OpenProcessToken                                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueW                                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueW + 4                                         76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyExW                                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueExW                                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegQueryValueExA                                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegOpenKeyExA                                              76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateServiceW                                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!RegDeleteKeyA                                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateProcessAsUserA                                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!CreateServiceA                                             76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\taskhost.exe[3624] ADVAPI32.dll!LsaRemoveAccountRights                                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteW                                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!Shell_NotifyIconW                                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteExW                                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteEx                                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!ShellExecuteA                                               77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\taskhost.exe[3624] SHELL32.dll!Shell_NotifyIcon                                            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort                   77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtClose                                     77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtLoadDriver                                77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtLoadDriver + 4                            77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtSuspendProcess                            77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!NtSuspendProcess + 4                        77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!LdrUnloadDll                                77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ntdll.dll!LdrLoadDll                                  77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessW                           767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessA                           767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateProcessAsUserW                     767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileW                                767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileExW                              767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateToolhelp32Snapshot                 767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenMutexA                               767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeleteFileW                              767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!TerminateProcess                         767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualProtect                           767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateMutexW                             767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeleteFileA                              767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenProcess                              767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileExW                              767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateDirectoryW                         767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadResource                             767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DeviceIoControl                          767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualAlloc                             767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetProcAddress                           767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateMutexA                             767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadLibraryA                             767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateThread                             767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateFileW                              767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateFileA                              767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WideCharToMultiByte                      767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MultiByteToWideChar                      767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!LoadLibraryW                             767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WriteFile                                768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetVolumeInformationW                    76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!OpenMutexW                               76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!TerminateThread                          7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileExA                              76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!GetVolumeInformationA                    76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileA                                76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileW                                76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateDirectoryA                         768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WriteProcessMemory                       7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!DebugActiveProcess                       7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!MoveFileA                                7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CopyFileExA                              7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!WinExec                                  7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!CreateRemoteThread                       7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!VirtualProtectEx                         7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] kernel32.dll!SetThreadContext                         768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenSCManagerW                           7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyA                              7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyA                            7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueA                           7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegDeleteKeyW                            767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyExA                          767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegSetValueExA                           76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegSetValueExW                           76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyW                            76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyW                              767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenSCManagerA                           76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LookupPrivilegeValueA                    76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegCreateKeyExW                          7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!AdjustTokenPrivileges                    7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LookupPrivilegeValueW                    76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!OpenProcessToken                         76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueW                           76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueW + 4                       76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyExW                            7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueExW                         7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegQueryValueExA                         7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegOpenKeyExA                            76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateServiceW                           767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!RegDeleteKeyA                            7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateProcessAsUserA                     76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!CreateServiceA                           76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] ADVAPI32.dll!LsaRemoveAccountRights                   767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!RegisterRawInputDevices                    76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!RegisterRawInputDevices + 4                76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetWindowTextA                             76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetAsyncKeyState                           7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetWindowTextW                             7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!CreateWindowExA                            7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowsHookExW                          7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!CreateWindowExW                            7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!ShowWindow                                 7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!ShowWindow + 4                             7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWinEventHook                            766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyState                                76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DrawTextW                                  76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowTextW                             7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DrawTextA                                  7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowTextA                             76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyboardState                           76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!GetKeyboardState + 4                       7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!SetWindowsHookExA                          76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!DdeConnect                                 7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] USER32.dll!EndTask                                    7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!DeleteDC                                    77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!GetPixel                                    77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!CreateDCA                                   77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] GDI32.dll!CreateDCW                                   77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteW                             76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!Shell_NotifyIconW                         76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteExW                           76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteEx                            7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!ShellExecuteA                             77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] SHELL32.dll!Shell_NotifyIcon                          77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] WININET.dll!InternetOpenUrlA                          7696E1C6 6 Bytes  JMP 708E000A 
.text           C:\Program Files\Windows Media Player\wmpnetwk.exe[3696] WININET.dll!InternetOpenUrlW                          769CDC08 6 Bytes  JMP 708B000A
         

Alt 21.02.2014, 22:09   #12
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer08_4034-4585.txt

Code:
ATTFilter
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtAlpcSendWaitReceivePort                                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtClose                                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtLoadDriver                                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtLoadDriver + 4                                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtSuspendProcess                                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!NtSuspendProcess + 4                                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!LdrUnloadDll                                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] ntdll.dll!LdrLoadDll                                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessW                                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessA                                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateProcessAsUserW                                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileW                                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileExW                                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateToolhelp32Snapshot                                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenMutexA                                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeleteFileW                                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!TerminateProcess                                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualProtect                                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateMutexW                                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeleteFileA                                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenProcess                                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileExW                                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateDirectoryW                                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadResource                                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DeviceIoControl                                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualAlloc                                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetProcAddress                                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateMutexA                                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadLibraryA                                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateThread                                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateFileW                                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateFileA                                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WideCharToMultiByte                                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MultiByteToWideChar                                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!LoadLibraryW                                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WriteFile                                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetVolumeInformationW                                      76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!OpenMutexW                                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!TerminateThread                                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileExA                                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!GetVolumeInformationA                                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileA                                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileW                                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateDirectoryA                                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WriteProcessMemory                                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!DebugActiveProcess                                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!MoveFileA                                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CopyFileExA                                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!WinExec                                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!CreateRemoteThread                                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!VirtualProtectEx                                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] kernel32.dll!SetThreadContext                                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenSCManagerW                                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyA                                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyA                                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueA                                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegDeleteKeyW                                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyExA                                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegSetValueExA                                             76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegSetValueExW                                             76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyW                                              76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyW                                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenSCManagerA                                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LookupPrivilegeValueA                                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegCreateKeyExW                                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!AdjustTokenPrivileges                                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LookupPrivilegeValueW                                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!OpenProcessToken                                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueW                                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueW + 4                                         76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyExW                                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueExW                                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegQueryValueExA                                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegOpenKeyExA                                              76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateServiceW                                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!RegDeleteKeyA                                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateProcessAsUserA                                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!CreateServiceA                                             76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] ADVAPI32.dll!LsaRemoveAccountRights                                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!RegisterRawInputDevices                                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!RegisterRawInputDevices + 4                                  76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetWindowTextA                                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetAsyncKeyState                                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetWindowTextW                                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!CreateWindowExA                                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowsHookExW                                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!CreateWindowExW                                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!ShowWindow                                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!ShowWindow + 4                                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWinEventHook                                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyState                                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DrawTextW                                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowTextW                                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DrawTextA                                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowTextA                                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyboardState                                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!GetKeyboardState + 4                                         7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!SetWindowsHookExA                                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!DdeConnect                                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] USER32.dll!EndTask                                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!DeleteDC                                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!GetPixel                                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!CreateDCA                                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] GDI32.dll!CreateDCW                                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteW                                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!Shell_NotifyIconW                                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteExW                                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteEx                                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!ShellExecuteA                                               77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\WUDFHost.exe[3748] SHELL32.dll!Shell_NotifyIcon                                            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtAlpcSendWaitReceivePort                                          77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtClose                                                            77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtLoadDriver                                                       77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtLoadDriver + 4                                                   77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtSuspendProcess                                                   77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!NtSuspendProcess + 4                                               77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!LdrUnloadDll                                                       77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] ntdll.dll!LdrLoadDll                                                         77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessW                                                  767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessA                                                  767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateProcessAsUserW                                            767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileW                                                       767E6B3F 6 Bytes  JMP 70DA000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileExW                                                     767EB280 6 Bytes  JMP 70D4000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateToolhelp32Snapshot                                        767EFD29 6 Bytes  JMP 70FB000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenMutexA                                                      767F0412 6 Bytes  JMP 70AA000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeleteFileW                                                     767F1737 6 Bytes  JMP 7092000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!TerminateProcess                                                767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualProtect                                                  767F2C15 6 Bytes  JMP 70F2000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateMutexW                                                    767F33D6 6 Bytes  JMP 70AD000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeleteFileA                                                     767F43CA 6 Bytes  JMP 7095000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenProcess                                                     767F54E7 6 Bytes  JMP 7074000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileExW                                                     767F8DF8 6 Bytes  JMP 7077000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateDirectoryW                                                767F99D1 6 Bytes  JMP 70C5000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadResource                                                    767F9CBA 6 Bytes  JMP 70E0000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DeviceIoControl                                                 767FB96D 6 Bytes  JMP 70CB000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualAlloc                                                    767FC42A 6 Bytes  JMP 70F5000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetProcAddress                                                  767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateMutexA                                                    767FD7C4 6 Bytes  JMP 70B0000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadLibraryA                                                    767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateThread                                                    767FDCB2 6 Bytes  JMP 70F8000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateFileW                                                     767FE895 6 Bytes  JMP 7101000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateFileA                                                     767FEA51 6 Bytes  JMP 70FE000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WideCharToMultiByte                                             767FEEEA 6 Bytes  JMP 7083000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MultiByteToWideChar                                             767FEEF7 6 Bytes  JMP 70A4000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!LoadLibraryW                                                    767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WriteFile                                                       768053DE 6 Bytes  JMP 70C2000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetVolumeInformationW                                           76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!OpenMutexW                                                      76808ECD 6 Bytes  JMP 70A7000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!TerminateThread                                                 7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileExA                                                     76813F68 6 Bytes  JMP 707A000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!GetVolumeInformationA                                           76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileA                                                       76816D4A 6 Bytes  JMP 70DD000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileW                                                       76816EC6 6 Bytes  JMP 707D000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateDirectoryA                                                768180D5 6 Bytes  JMP 70C8000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WriteProcessMemory                                              7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!DebugActiveProcess                                              7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!MoveFileA                                                       7683BF49 6 Bytes  JMP 7080000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CopyFileExA                                                     7683CDA1 6 Bytes  JMP 70D7000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!WinExec                                                         7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!CreateRemoteThread                                              7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!VirtualProtectEx                                                7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\Dwm.exe[3784] kernel32.dll!SetThreadContext                                                768408B3 6 Bytes  JMP 70BF000A 
.text           C:\Windows\system32\Dwm.exe[3784] GDI32.dll!DeleteDC                                                           77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] GDI32.dll!GetPixel                                                           77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] GDI32.dll!CreateDCA                                                          77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] GDI32.dll!CreateDCW                                                          77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!RegisterRawInputDevices                                           76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!RegisterRawInputDevices + 4                                       76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetWindowTextA                                                    76636EED 6 Bytes  JMP 70E9000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetAsyncKeyState                                                  7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetWindowTextW                                                    7663B8C5 6 Bytes  JMP 70E6000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!CreateWindowExA                                                   7663BF40 6 Bytes  JMP 709B000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowsHookExW                                                 7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!CreateWindowExW                                                   7663EC7C 6 Bytes  JMP 7098000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!ShowWindow                                                        7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!ShowWindow + 4                                                    7663F2AD 2 Bytes  [E2, 70] {LOOP 0x72}
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWinEventHook                                                   766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyState                                                       76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!DrawTextW                                                         76645B6A 6 Bytes  JMP 709E000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowTextW                                                    7664612B 6 Bytes  JMP 7086000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!DrawTextA                                                         7665AE29 6 Bytes  JMP 70A1000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowTextA                                                    76660C5B 6 Bytes  JMP 7089000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyboardState                                                  76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!GetKeyboardState + 4                                              7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!SetWindowsHookExA                                                 76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!DdeConnect                                                        7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\Dwm.exe[3784] USER32.dll!EndTask                                                           7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenSCManagerW                                                  7671CA04 6 Bytes  JMP 70EC000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyA                                                     7671CBB5 6 Bytes  JMP 711F000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyA                                                   7671CCA1 6 Bytes  JMP 7125000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueA                                                  7671CDB2 5 Bytes  JMP 710D000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegDeleteKeyW                                                   767211F2 6 Bytes  JMP 708C000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyExA                                                 767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegSetValueExA                                                  76721433 6 Bytes  JMP 7113000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegSetValueExW                                                  76721456 6 Bytes  JMP 7110000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyW                                                   76721494 6 Bytes  JMP 7122000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyW                                                     767223D9 6 Bytes  JMP 711C000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenSCManagerA                                                  76722B58 6 Bytes  JMP 70EF000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LookupPrivilegeValueA                                           76723FCA 6 Bytes  JMP 70B9000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegCreateKeyExW                                                 7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!AdjustTokenPrivileges                                           7672410E 6 Bytes  JMP 70B3000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LookupPrivilegeValueW                                           76724133 6 Bytes  JMP 70B6000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!OpenProcessToken                                                76724284 6 Bytes  JMP 70BC000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueW                                                  76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueW + 4                                              76724438 2 Bytes  [09, 71]
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyExW                                                   7672460D 6 Bytes  JMP 7116000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueExW                                                7672462D 6 Bytes  JMP 7104000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegQueryValueExA                                                7672486F 6 Bytes  JMP 7107000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegOpenKeyExA                                                   76724887 6 Bytes  JMP 7119000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateServiceW                                                  767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!RegDeleteKeyA                                                   7673A84F 6 Bytes  JMP 708F000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateProcessAsUserA                                            76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!CreateServiceA                                                  76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\Dwm.exe[3784] ADVAPI32.dll!LsaRemoveAccountRights                                          767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteW                                                    76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!Shell_NotifyIconW                                                76E70171 6 Bytes  JMP 70CE000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteExW                                                  76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteEx                                                   7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!ShellExecuteA                                                    77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\Dwm.exe[3784] SHELL32.dll!Shell_NotifyIcon                                                 77098F9E 6 Bytes  JMP 70D1000A 
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtAlpcSendWaitReceivePort                                              77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtClose                                                                77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver                                                           77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtLoadDriver + 4                                                       77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess                                                       77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!NtSuspendProcess + 4                                                   77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!LdrUnloadDll                                                           77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] ntdll.dll!LdrLoadDll                                                             77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessW                                                      767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessA                                                      767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateProcessAsUserW                                                767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileW                                                           767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExW                                                         767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateToolhelp32Snapshot                                            767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexA                                                          767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileW                                                         767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateProcess                                                    767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtect                                                      767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexW                                                        767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!DeleteFileA                                                         767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenProcess                                                         767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExW                                                         767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryW                                                    767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadResource                                                        767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!DeviceIoControl                                                     767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualAlloc                                                        767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!GetProcAddress                                                      767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateMutexA                                                        767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryA                                                        767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateThread                                                        767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileW                                                         767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateFileA                                                         767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!WideCharToMultiByte                                                 767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!MultiByteToWideChar                                                 767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!LoadLibraryW                                                        767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteFile                                                           768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationW                                               76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!OpenMutexW                                                          76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!TerminateThread                                                     7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileExA                                                         76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!GetVolumeInformationA                                               76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileA                                                           76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileW                                                           76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateDirectoryA                                                    768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!WriteProcessMemory                                                  7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!DebugActiveProcess                                                  7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!MoveFileA                                                           7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CopyFileExA                                                         7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!WinExec                                                             7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!CreateRemoteThread                                                  7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!VirtualProtectEx                                                    7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\Explorer.EXE[3812] kernel32.dll!SetThreadContext                                                    768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerW                                                      7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyA                                                         7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyA                                                       7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueA                                                      7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyW                                                       767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExA                                                     767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExA                                                      76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegSetValueExW                                                      76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyW                                                       76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyW                                                         767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenSCManagerA                                                      76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueA                                               76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegCreateKeyExW                                                     7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!AdjustTokenPrivileges                                               7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LookupPrivilegeValueW                                               76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!OpenProcessToken                                                    76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueW                                                      76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueW + 4                                                  76724438 2 Bytes  [26, 71]
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExW                                                       7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExW                                                    7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegQueryValueExA                                                    7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegOpenKeyExA                                                       76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceW                                                      767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!RegDeleteKeyA                                                       7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateProcessAsUserA                                                76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!CreateServiceA                                                      76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\Explorer.EXE[3812] ADVAPI32.dll!LsaRemoveAccountRights                                              767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\Explorer.EXE[3812] GDI32.dll!DeleteDC                                                               77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] GDI32.dll!GetPixel                                                               77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] GDI32.dll!CreateDCA                                                              77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] GDI32.dll!CreateDCW                                                              77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices                                               76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!RegisterRawInputDevices + 4                                           76635B56 2 Bytes  [53, 71]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextA                                                        76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetAsyncKeyState                                                      7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetWindowTextW                                                        7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExA                                                       7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExW                                                     7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!CreateWindowExW                                                       7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow                                                            7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!ShowWindow + 4                                                        7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!SetWinEventHook                                                       766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyState                                                           76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextW                                                             76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextW                                                        7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!DrawTextA                                                             7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowTextA                                                        76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState                                                      76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!GetKeyboardState + 4                                                  7666694A 2 Bytes  [68, 71]
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!SetWindowsHookExA                                                     76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!DdeConnect                                                            7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\Explorer.EXE[3812] USER32.dll!EndTask                                                               7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteW                                                        76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIconW                                                    76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteExW                                                      76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteEx                                                       7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!ShellExecuteA                                                        77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\Explorer.EXE[3812] SHELL32.dll!Shell_NotifyIcon                                                     77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlA                                                     7696E1C6 6 Bytes  JMP 708E000A 
.text           C:\Windows\Explorer.EXE[3812] WININET.dll!InternetOpenUrlW                                                     769CDC08 6 Bytes  JMP 708B000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtAlpcSendWaitReceivePort                                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtClose                                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtLoadDriver                                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtLoadDriver + 4                                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtSuspendProcess                                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!NtSuspendProcess + 4                                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!LdrUnloadDll                                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] ntdll.dll!LdrLoadDll                                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessW                                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessA                                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateProcessAsUserW                                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileW                                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileExW                                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateToolhelp32Snapshot                                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenMutexA                                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeleteFileW                                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!TerminateProcess                                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualProtect                                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateMutexW                                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeleteFileA                                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenProcess                                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileExW                                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateDirectoryW                                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadResource                                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DeviceIoControl                                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualAlloc                                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetProcAddress                                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateMutexA                                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadLibraryA                                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateThread                                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateFileW                                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateFileA                                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WideCharToMultiByte                                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MultiByteToWideChar                                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!LoadLibraryW                                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WriteFile                                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetVolumeInformationW                                      76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!OpenMutexW                                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!TerminateThread                                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileExA                                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!GetVolumeInformationA                                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileA                                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileW                                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateDirectoryA                                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WriteProcessMemory                                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!DebugActiveProcess                                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!MoveFileA                                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CopyFileExA                                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!WinExec                                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!CreateRemoteThread                                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!VirtualProtectEx                                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\TpShocks.exe[3932] kernel32.dll!SetThreadContext                                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!DeleteDC                                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!GetPixel                                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!CreateDCA                                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] GDI32.dll!CreateDCW                                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!RegisterRawInputDevices                                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!RegisterRawInputDevices + 4                                  76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetWindowTextA                                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetAsyncKeyState                                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetWindowTextW                                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!CreateWindowExA                                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowsHookExW                                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!CreateWindowExW                                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!ShowWindow                                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!ShowWindow + 4                                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWinEventHook                                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyState                                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DrawTextW                                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowTextW                                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DrawTextA                                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowTextA                                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyboardState                                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!GetKeyboardState + 4                                         7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!SetWindowsHookExA                                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!DdeConnect                                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\TpShocks.exe[3932] USER32.dll!EndTask                                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenSCManagerW                                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyA                                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyA                                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueA                                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegDeleteKeyW                                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyExA                                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegSetValueExA                                             76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegSetValueExW                                             76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyW                                              76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyW                                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenSCManagerA                                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LookupPrivilegeValueA                                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegCreateKeyExW                                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!AdjustTokenPrivileges                                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LookupPrivilegeValueW                                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!OpenProcessToken                                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueW                                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueW + 4                                         76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyExW                                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueExW                                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegQueryValueExA                                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegOpenKeyExA                                              76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateServiceW                                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!RegDeleteKeyA                                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateProcessAsUserA                                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!CreateServiceA                                             76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\TpShocks.exe[3932] ADVAPI32.dll!LsaRemoveAccountRights                                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteW                                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!Shell_NotifyIconW                                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteExW                                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteEx                                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!ShellExecuteA                                               77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\TpShocks.exe[3932] SHELL32.dll!Shell_NotifyIcon                                            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtAlpcSendWaitReceivePort                           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtClose                                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtLoadDriver                                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtLoadDriver + 4                                    77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtSuspendProcess                                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!NtSuspendProcess + 4                                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!LdrUnloadDll                                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ntdll.dll!LdrLoadDll                                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessW                                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessA                                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateProcessAsUserW                             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileW                                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileExW                                      767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateToolhelp32Snapshot                         767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenMutexA                                       767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeleteFileW                                      767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!TerminateProcess                                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualProtect                                   767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateMutexW                                     767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeleteFileA                                      767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenProcess                                      767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileExW                                      767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateDirectoryW                                 767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadResource                                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DeviceIoControl                                  767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualAlloc                                     767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetProcAddress                                   767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateMutexA                                     767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadLibraryA                                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateThread                                     767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateFileW                                      767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateFileA                                      767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WideCharToMultiByte                              767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MultiByteToWideChar                              767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!LoadLibraryW                                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WriteFile                                        768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetVolumeInformationW                            76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!OpenMutexW                                       76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!TerminateThread                                  7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileExA                                      76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!GetVolumeInformationA                            76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileA                                        76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileW                                        76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateDirectoryA                                 768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WriteProcessMemory                               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!DebugActiveProcess                               7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!MoveFileA                                        7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CopyFileExA                                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!WinExec                                          7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!CreateRemoteThread                               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!VirtualProtectEx                                 7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] kernel32.dll!SetThreadContext                                 768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!RegisterRawInputDevices                            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!RegisterRawInputDevices + 4                        76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetWindowTextA                                     76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetAsyncKeyState                                   7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetWindowTextW                                     7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!CreateWindowExA                                    7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowsHookExW                                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!CreateWindowExW                                    7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!ShowWindow                                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!ShowWindow + 4                                     7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWinEventHook                                    766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyState                                        76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DrawTextW                                          76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowTextW                                     7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DrawTextA                                          7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowTextA                                     76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyboardState                                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!GetKeyboardState + 4                               7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!SetWindowsHookExA                                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!DdeConnect                                         7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] USER32.dll!EndTask                                            7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!DeleteDC                                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!GetPixel                                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!CreateDCA                                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] GDI32.dll!CreateDCW                                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenSCManagerW                                   7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyA                                      7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyA                                    7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueA                                   7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegDeleteKeyW                                    767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyExA                                  767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegSetValueExA                                   76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegSetValueExW                                   76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyW                                    76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyW                                      767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenSCManagerA                                   76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LookupPrivilegeValueA                            76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegCreateKeyExW                                  7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!AdjustTokenPrivileges                            7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LookupPrivilegeValueW                            76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!OpenProcessToken                                 76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueW                                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueW + 4                               76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyExW                                    7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueExW                                 7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegQueryValueExA                                 7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegOpenKeyExA                                    76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateServiceW                                   767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!RegDeleteKeyA                                    7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateProcessAsUserA                             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!CreateServiceA                                   76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] ADVAPI32.dll!LsaRemoveAccountRights                           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteW                                     76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!Shell_NotifyIconW                                 76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteExW                                   76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteEx                                    7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!ShellExecuteA                                     77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Lenovo\HOTKEY\tpfnf6r.exe[3956] SHELL32.dll!Shell_NotifyIcon                                  77098F9E 6 Bytes  JMP 70EE000A
         

Alt 21.02.2014, 22:11   #13
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer09_4586-5141.txt

Code:
ATTFilter
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtAlpcSendWaitReceivePort     77C85458 5 Bytes  JMP 0026B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtClose                       77C85508 5 Bytes  JMP 0025D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtLoadDriver                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtLoadDriver + 4              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtSuspendProcess              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!NtSuspendProcess + 4          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!LdrUnloadDll                  77C9C8DE 7 Bytes  JMP 0025D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ntdll.dll!LdrLoadDll                    77CA22AE 5 Bytes  JMP 00267F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessW             767B204D 5 Bytes  JMP 00265070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessA             767B2082 5 Bytes  JMP 00265C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateProcessAsUserW       767E59FF 5 Bytes  JMP 00263BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileW                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileExW                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateToolhelp32Snapshot   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenMutexA                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeleteFileW                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!TerminateProcess           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualProtect             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateMutexW               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeleteFileA                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenProcess                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileExW                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateDirectoryW           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadResource               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DeviceIoControl            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualAlloc               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetProcAddress             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateMutexA               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadLibraryA               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateThread               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateFileW                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateFileA                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WideCharToMultiByte        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MultiByteToWideChar        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!LoadLibraryW               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WriteFile                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetVolumeInformationW      76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!OpenMutexW                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!TerminateThread            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileExA                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!GetVolumeInformationA      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileA                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileW                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateDirectoryA           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WriteProcessMemory         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!DebugActiveProcess         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!MoveFileA                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CopyFileExA                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!WinExec                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!CreateRemoteThread         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!VirtualProtectEx           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] kernel32.dll!SetThreadContext           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenSCManagerW             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyA                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyA              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueA             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegDeleteKeyW              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyExA            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegSetValueExA             76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegSetValueExW             76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyW              76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyW                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenSCManagerA             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LookupPrivilegeValueA      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegCreateKeyExW            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!AdjustTokenPrivileges      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LookupPrivilegeValueW      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!OpenProcessToken           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueW             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueW + 4         76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyExW              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueExW           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegQueryValueExA           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegOpenKeyExA              76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateServiceW             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!RegDeleteKeyA              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateProcessAsUserA       76752642 5 Bytes  JMP 002644D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!CreateServiceA             76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] ADVAPI32.dll!LsaRemoveAccountRights     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!RegisterRawInputDevices      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!RegisterRawInputDevices + 4  76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetWindowTextA               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetAsyncKeyState             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetWindowTextW               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!CreateWindowExA              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowsHookExW            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!CreateWindowExW              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!ShowWindow                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!ShowWindow + 4               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWinEventHook              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyState                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DrawTextW                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowTextW               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DrawTextA                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowTextA               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyboardState             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!GetKeyboardState + 4         7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!SetWindowsHookExA            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!DdeConnect                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] USER32.dll!EndTask                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!DeleteDC                      77DF6EAA 5 Bytes  JMP 00268D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!GetPixel                      77DFC3D5 5 Bytes  JMP 00268AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!CreateDCA                     77DFCCA9 5 Bytes  JMP 00269E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] GDI32.dll!CreateDCW                     77DFCF79 5 Bytes  JMP 00269D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteW               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!Shell_NotifyIconW           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteExW             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteEx              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!ShellExecuteA               77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[3964] SHELL32.dll!Shell_NotifyIcon            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!NtAlpcSendWaitReceivePort                               77C85458 5 Bytes  JMP 0021B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!NtClose                                                 77C85508 5 Bytes  JMP 0020D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!LdrUnloadDll                                            77C9C8DE 7 Bytes  JMP 0020D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] ntdll.dll!LdrLoadDll                                              77CA22AE 5 Bytes  JMP 00217F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessW                                       767B204D 5 Bytes  JMP 00215070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessA                                       767B2082 5 Bytes  JMP 00215C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] kernel32.dll!CreateProcessAsUserW                                 767E59FF 5 Bytes  JMP 00213BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!DeleteDC                                                77DF6EAA 5 Bytes  JMP 00218D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!GetPixel                                                77DFC3D5 5 Bytes  JMP 00218AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!CreateDCA                                               77DFCCA9 5 Bytes  JMP 00219E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] GDI32.dll!CreateDCW                                               77DFCF79 5 Bytes  JMP 00219D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\ThreatFire\TFTray.exe[3980] ADVAPI32.dll!CreateProcessAsUserA                                 76752642 5 Bytes  JMP 002144D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtAllocateVirtualMemory               77C85318 1 Byte  [E9]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtAllocateVirtualMemory               77C85318 5 Bytes  JMP 00780630 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtLoadDriver                          77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtLoadDriver + 4                      77C85B9C 2 Bytes  [62, 71]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtSuspendProcess                      77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ntdll.dll!NtSuspendProcess + 4                  77C868CC 2 Bytes  [7A, 71] {JP 0x73}
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateProcessW                     767B204D 6 Bytes  JMP 718F001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateProcessA                     767B2082 6 Bytes  JMP 7192001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileW                          767E6B3F 6 Bytes  JMP 70F9001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileExW                        767EB280 6 Bytes  JMP 70F3001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateToolhelp32Snapshot           767EFD29 6 Bytes  JMP 711A001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenMutexA                         767F0412 6 Bytes  JMP 70C3001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeleteFileW                        767F1737 6 Bytes  JMP 70AB001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!TerminateProcess                   767F2C05 6 Bytes  JMP 71A4001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualProtect                     767F2C15 6 Bytes  JMP 7111001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateMutexW                       767F33D6 6 Bytes  JMP 70C6001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeleteFileA                        767F43CA 6 Bytes  JMP 70AE001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenProcess                        767F54E7 6 Bytes  JMP 708D001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileExW                        767F8DF8 6 Bytes  JMP 7090001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateDirectoryW                   767F99D1 6 Bytes  JMP 70DE001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadResource                       767F9CBA 6 Bytes  JMP 70FF001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DeviceIoControl                    767FB96D 6 Bytes  JMP 70EA001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualAlloc                       767FC42A 6 Bytes  JMP 7114001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetProcAddress                     767FCC84 6 Bytes  JMP 7153001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateMutexA                       767FD7C4 6 Bytes  JMP 70C9001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadLibraryA                       767FDC55 6 Bytes  JMP 719E001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateThread                       767FDCB2 6 Bytes  JMP 7117001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateFileW                        767FE895 6 Bytes  JMP 7120001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateFileA                        767FEA51 6 Bytes  JMP 711D001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WideCharToMultiByte                767FEEEA 6 Bytes  JMP 709C001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MultiByteToWideChar                767FEEF7 6 Bytes  JMP 70BD001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!LoadLibraryW                       767FEF32 6 Bytes  JMP 719B001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WriteFile                          768053DE 6 Bytes  JMP 70DB001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetVolumeInformationW              76806191 6 Bytes  JMP 714D001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!OpenMutexW                         76808ECD 6 Bytes  JMP 70C0001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!TerminateThread                    7680BBF1 6 Bytes  JMP 7177001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileExA                        76813F68 6 Bytes  JMP 7093001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!GetVolumeInformationA              76815CB2 6 Bytes  JMP 7150001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileA                          76816D4A 6 Bytes  JMP 70FC001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileW                          76816EC6 6 Bytes  JMP 7096001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateDirectoryA                   768180D5 6 Bytes  JMP 70E1001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WriteProcessMemory                 7681958F 6 Bytes  JMP 71A1001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!DebugActiveProcess                 7683738C 6 Bytes  JMP 7174001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!MoveFileA                          7683BF49 6 Bytes  JMP 7099001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CopyFileExA                        7683CDA1 6 Bytes  JMP 70F6001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!WinExec                            7683ED9E 6 Bytes  JMP 7180001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!CreateRemoteThread                 7683FADB 6 Bytes  JMP 71AE001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!VirtualProtectEx                   7683FD39 6 Bytes  JMP 7165001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] kernel32.dll!SetThreadContext                   768408B3 6 Bytes  JMP 70D8001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!RegisterRawInputDevices              76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!RegisterRawInputDevices + 4          76635B56 2 Bytes  [56, 71]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetWindowTextA                       76636EED 6 Bytes  JMP 7108001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetAsyncKeyState                     7663A256 6 Bytes  JMP 716E001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetWindowTextW                       7663B8C5 6 Bytes  JMP 7105001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!CreateWindowExA                      7663BF40 6 Bytes  JMP 70B4001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowsHookExW                    7663E30C 6 Bytes  JMP 7195001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!CreateWindowExW                      7663EC7C 6 Bytes  JMP 70B1001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!ShowWindow                           7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!ShowWindow + 4                       7663F2AD 2 Bytes  [02, 71]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWinEventHook                      766424DC 6 Bytes  JMP 7159001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyState                          76642B4D 6 Bytes  JMP 7171001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DrawTextW                            76645B6A 6 Bytes  JMP 70B7001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowTextW                       7664612B 6 Bytes  JMP 709F001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DrawTextA                            7665AE29 6 Bytes  JMP 70BA001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowTextA                       76660C5B 6 Bytes  JMP 70A2001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyboardState                     76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!GetKeyboardState + 4                 7666694A 2 Bytes  [6B, 71]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!SetWindowsHookExA                    76666D0C 6 Bytes  JMP 7198001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!DdeConnect                           7667EB5B 6 Bytes  JMP 7168001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] USER32.dll!EndTask                              7667FD66 6 Bytes  JMP 717D001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteW                       76E63C31 6 Bytes  JMP 7189001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!Shell_NotifyIconW                   76E70171 6 Bytes  JMP 70ED001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteExW                     76E71DF6 6 Bytes  JMP 7183001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteEx                      7709748A 6 Bytes  JMP 7186001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!ShellExecuteA                       77097525 6 Bytes  JMP 718C001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] SHELL32.dll!Shell_NotifyIcon                    77098F9E 6 Bytes  JMP 70F0001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenSCManagerW                     7671CA04 6 Bytes  JMP 710B001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyA                        7671CBB5 6 Bytes  JMP 713E001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyA                      7671CCA1 6 Bytes  JMP 7144001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueA                     7671CDB2 5 Bytes  JMP 712C001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegDeleteKeyW                      767211F2 6 Bytes  JMP 70A5001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyExA                    767213E9 6 Bytes  JMP 714A001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegSetValueExA                     76721433 6 Bytes  JMP 7132001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegSetValueExW                     76721456 6 Bytes  JMP 712F001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyW                      76721494 6 Bytes  JMP 7141001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyW                        767223D9 6 Bytes  JMP 713B001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenSCManagerA                     76722B58 6 Bytes  JMP 710E001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LookupPrivilegeValueA              76723FCA 6 Bytes  JMP 70D2001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegCreateKeyExW                    7672407E 6 Bytes  JMP 7147001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!AdjustTokenPrivileges              7672410E 6 Bytes  JMP 70CC001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LookupPrivilegeValueW              76724133 6 Bytes  JMP 70CF001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!OpenProcessToken                   76724284 6 Bytes  JMP 70D5001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueW                     76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueW + 4                 76724438 2 Bytes  [29, 71]
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyExW                      7672460D 6 Bytes  JMP 7135001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueExW                   7672462D 6 Bytes  JMP 7123001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegQueryValueExA                   7672486F 6 Bytes  JMP 7126001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegOpenKeyExA                      76724887 6 Bytes  JMP 7138001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!CreateServiceW                     767370C4 6 Bytes  JMP 715C001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!RegDeleteKeyA                      7673A84F 6 Bytes  JMP 70A8001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!CreateServiceA                     76753264 6 Bytes  JMP 715F001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] ADVAPI32.dll!LsaRemoveAccountRights             767589F1 6 Bytes  JMP 71A7001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] WININET.dll!InternetOpenUrlA                    7696E1C6 6 Bytes  JMP 70E7001E 
.text           C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[3988] WININET.dll!InternetOpenUrlW                    769CDC08 6 Bytes  JMP 70E4001E 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtAlpcSendWaitReceivePort                             77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtClose                                               77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtLoadDriver                                          77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtLoadDriver + 4                                      77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtSuspendProcess                                      77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!NtSuspendProcess + 4                                  77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!LdrUnloadDll                                          77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ntdll.dll!LdrLoadDll                                            77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessW                                     767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessA                                     767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateProcessAsUserW                               767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileW                                          767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileExW                                        767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateToolhelp32Snapshot                           767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenMutexA                                         767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeleteFileW                                        767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!TerminateProcess                                   767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualProtect                                     767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateMutexW                                       767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeleteFileA                                        767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenProcess                                        767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileExW                                        767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateDirectoryW                                   767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadResource                                       767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DeviceIoControl                                    767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualAlloc                                       767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetProcAddress                                     767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateMutexA                                       767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadLibraryA                                       767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateThread                                       767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateFileW                                        767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateFileA                                        767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WideCharToMultiByte                                767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MultiByteToWideChar                                767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!LoadLibraryW                                       767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WriteFile                                          768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetVolumeInformationW                              76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!OpenMutexW                                         76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!TerminateThread                                    7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileExA                                        76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!GetVolumeInformationA                              76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileA                                          76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileW                                          76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateDirectoryA                                   768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WriteProcessMemory                                 7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!DebugActiveProcess                                 7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!MoveFileA                                          7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CopyFileExA                                        7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!WinExec                                            7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!CreateRemoteThread                                 7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!VirtualProtectEx                                   7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] kernel32.dll!SetThreadContext                                   768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!RegisterRawInputDevices                              76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!RegisterRawInputDevices + 4                          76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetWindowTextA                                       76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetAsyncKeyState                                     7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetWindowTextW                                       7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!CreateWindowExA                                      7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowsHookExW                                    7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!CreateWindowExW                                      7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!ShowWindow                                           7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!ShowWindow + 4                                       7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWinEventHook                                      766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyState                                          76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DrawTextW                                            76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowTextW                                       7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DrawTextA                                            7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowTextA                                       76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyboardState                                     76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!GetKeyboardState + 4                                 7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!SetWindowsHookExA                                    76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!DdeConnect                                           7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] USER32.dll!EndTask                                              7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!DeleteDC                                              77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!GetPixel                                              77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!CreateDCA                                             77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] GDI32.dll!CreateDCW                                             77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenSCManagerW                                     7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyA                                        7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyA                                      7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueA                                     7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegDeleteKeyW                                      767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyExA                                    767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegSetValueExA                                     76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegSetValueExW                                     76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyW                                      76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyW                                        767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenSCManagerA                                     76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LookupPrivilegeValueA                              76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegCreateKeyExW                                    7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!AdjustTokenPrivileges                              7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LookupPrivilegeValueW                              76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!OpenProcessToken                                   76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueW                                     76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueW + 4                                 76724438 2 Bytes  [26, 71]
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyExW                                      7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueExW                                   7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegQueryValueExA                                   7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegOpenKeyExA                                      76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateServiceW                                     767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!RegDeleteKeyA                                      7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateProcessAsUserA                               76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!CreateServiceA                                     76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] ADVAPI32.dll!LsaRemoveAccountRights                             767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteW                                       76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!Shell_NotifyIconW                                   76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteExW                                     76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteEx                                      7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!ShellExecuteA                                       77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\FreePDF_XP\fpassist.exe[4020] SHELL32.dll!Shell_NotifyIcon                                    77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtAlpcSendWaitReceivePort                                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtClose                                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtLoadDriver                                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtLoadDriver + 4                                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtSuspendProcess                                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!NtSuspendProcess + 4                                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!LdrUnloadDll                                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] ntdll.dll!LdrLoadDll                                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessW                                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessA                                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateProcessAsUserW                                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileW                                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileExW                                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateToolhelp32Snapshot                                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenMutexA                                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeleteFileW                                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!TerminateProcess                                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualProtect                                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateMutexW                                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeleteFileA                                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenProcess                                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileExW                                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateDirectoryW                                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadResource                                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DeviceIoControl                                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualAlloc                                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetProcAddress                                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateMutexA                                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadLibraryA                                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateThread                                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateFileW                                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateFileA                                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WideCharToMultiByte                                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MultiByteToWideChar                                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!LoadLibraryW                                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WriteFile                                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetVolumeInformationW                                      76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!OpenMutexW                                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!TerminateThread                                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileExA                                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!GetVolumeInformationA                                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileA                                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileW                                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateDirectoryA                                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WriteProcessMemory                                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!DebugActiveProcess                                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!MoveFileA                                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CopyFileExA                                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!WinExec                                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!CreateRemoteThread                                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!VirtualProtectEx                                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\rundll32.exe[4032] kernel32.dll!SetThreadContext                                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!RegisterRawInputDevices                                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!RegisterRawInputDevices + 4                                  76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetWindowTextA                                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetAsyncKeyState                                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetWindowTextW                                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!CreateWindowExA                                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowsHookExW                                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!CreateWindowExW                                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!ShowWindow                                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!ShowWindow + 4                                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWinEventHook                                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyState                                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!DrawTextW                                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowTextW                                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!DrawTextA                                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowTextA                                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyboardState                                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!GetKeyboardState + 4                                         7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!SetWindowsHookExA                                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!DdeConnect                                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\rundll32.exe[4032] USER32.dll!EndTask                                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\rundll32.exe[4032] GDI32.dll!DeleteDC                                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] GDI32.dll!GetPixel                                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] GDI32.dll!CreateDCA                                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] GDI32.dll!CreateDCW                                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenSCManagerW                                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyA                                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyA                                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueA                                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegDeleteKeyW                                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyExA                                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegSetValueExA                                             76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegSetValueExW                                             76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyW                                              76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyW                                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenSCManagerA                                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LookupPrivilegeValueA                                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegCreateKeyExW                                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!AdjustTokenPrivileges                                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LookupPrivilegeValueW                                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!OpenProcessToken                                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueW                                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueW + 4                                         76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyExW                                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueExW                                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegQueryValueExA                                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegOpenKeyExA                                              76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateServiceW                                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!RegDeleteKeyA                                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateProcessAsUserA                                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!CreateServiceA                                             76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\rundll32.exe[4032] ADVAPI32.dll!LsaRemoveAccountRights                                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteW                                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!Shell_NotifyIconW                                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteExW                                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteEx                                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!ShellExecuteA                                               77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\rundll32.exe[4032] SHELL32.dll!Shell_NotifyIcon                                            77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtAlpcSendWaitReceivePort                                     77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtClose                                                       77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtLoadDriver                                                  77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtLoadDriver + 4                                              77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtSuspendProcess                                              77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!NtSuspendProcess + 4                                          77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!LdrUnloadDll                                                  77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] ntdll.dll!LdrLoadDll                                                    77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessW                                             767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessA                                             767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateProcessAsUserW                                       767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileW                                                  767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileExW                                                767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateToolhelp32Snapshot                                   767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenMutexA                                                 767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeleteFileW                                                767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!TerminateProcess                                           767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualProtect                                             767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateMutexW                                               767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeleteFileA                                                767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenProcess                                                767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileExW                                                767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateDirectoryW                                           767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadResource                                               767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DeviceIoControl                                            767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualAlloc                                               767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetProcAddress                                             767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateMutexA                                               767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadLibraryA                                               767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateThread                                               767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateFileW                                                767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateFileA                                                767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WideCharToMultiByte                                        767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MultiByteToWideChar                                        767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!LoadLibraryW                                               767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WriteFile                                                  768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetVolumeInformationW                                      76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!OpenMutexW                                                 76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!TerminateThread                                            7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileExA                                                76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!GetVolumeInformationA                                      76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileA                                                  76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileW                                                  76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateDirectoryA                                           768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WriteProcessMemory                                         7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!DebugActiveProcess                                         7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!MoveFileA                                                  7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CopyFileExA                                                7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!WinExec                                                    7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!CreateRemoteThread                                         7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!VirtualProtectEx                                           7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\System32\rundll32.exe[4052] kernel32.dll!SetThreadContext                                           768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!RegisterRawInputDevices                                      76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!RegisterRawInputDevices + 4                                  76635B56 2 Bytes  [53, 71]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetWindowTextA                                               76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetAsyncKeyState                                             7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetWindowTextW                                               7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!CreateWindowExA                                              7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowsHookExW                                            7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!CreateWindowExW                                              7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!ShowWindow                                                   7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!ShowWindow + 4                                               7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWinEventHook                                              766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyState                                                  76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!DrawTextW                                                    76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowTextW                                               7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!DrawTextA                                                    7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowTextA                                               76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyboardState                                             76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!GetKeyboardState + 4                                         7666694A 2 Bytes  [68, 71]
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!SetWindowsHookExA                                            76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!DdeConnect                                                   7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\System32\rundll32.exe[4052] USER32.dll!EndTask                                                      7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\System32\rundll32.exe[4052] GDI32.dll!DeleteDC                                                      77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] GDI32.dll!GetPixel                                                      77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] GDI32.dll!CreateDCA                                                     77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] GDI32.dll!CreateDCW                                                     77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenSCManagerW                                             7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyA                                                7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyA                                              7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueA                                             7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegDeleteKeyW                                              767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyExA                                            767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegSetValueExA                                             76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegSetValueExW                                             76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyW                                              76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyW                                                767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenSCManagerA                                             76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LookupPrivilegeValueA                                      76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegCreateKeyExW                                            7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!AdjustTokenPrivileges                                      7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LookupPrivilegeValueW                                      76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!OpenProcessToken                                           76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueW                                             76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueW + 4                                         76724438 2 Bytes  [26, 71]
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyExW                                              7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueExW                                           7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegQueryValueExA                                           7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegOpenKeyExA                                              76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateServiceW                                             767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!RegDeleteKeyA                                              7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateProcessAsUserA                                       76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!CreateServiceA                                             76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\System32\rundll32.exe[4052] ADVAPI32.dll!LsaRemoveAccountRights                                     767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteW                                               76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!Shell_NotifyIconW                                           76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteExW                                             76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteEx                                              7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!ShellExecuteA                                               77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\System32\rundll32.exe[4052] SHELL32.dll!Shell_NotifyIcon                                            77098F9E 6 Bytes  JMP 70EE000A
         

Alt 21.02.2014, 22:12   #14
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer10_5142-5583.txt

Code:
ATTFilter
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtAlpcSendWaitReceivePort                        77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtClose                                          77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtLoadDriver                                     77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtLoadDriver + 4                                 77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtSuspendProcess                                 77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!NtSuspendProcess + 4                             77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!LdrUnloadDll                                     77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ntdll.dll!LdrLoadDll                                       77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessW                                767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessA                                767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateProcessAsUserW                          767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileW                                     767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileExW                                   767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateToolhelp32Snapshot                      767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenMutexA                                    767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeleteFileW                                   767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!TerminateProcess                              767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualProtect                                767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateMutexW                                  767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeleteFileA                                   767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenProcess                                   767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileExW                                   767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateDirectoryW                              767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadResource                                  767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DeviceIoControl                               767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualAlloc                                  767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetProcAddress                                767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateMutexA                                  767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadLibraryA                                  767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateThread                                  767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateFileW                                   767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateFileA                                   767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WideCharToMultiByte                           767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MultiByteToWideChar                           767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!LoadLibraryW                                  767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WriteFile                                     768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetVolumeInformationW                         76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!OpenMutexW                                    76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!TerminateThread                               7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileExA                                   76813F68 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!GetVolumeInformationA                         76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileA                                     76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileW                                     76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateDirectoryA                              768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WriteProcessMemory                            7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!DebugActiveProcess                            7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!MoveFileA                                     7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CopyFileExA                                   7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!WinExec                                       7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!CreateRemoteThread                            7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!VirtualProtectEx                              7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] kernel32.dll!SetThreadContext                              768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!RegisterRawInputDevices                         76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!RegisterRawInputDevices + 4                     76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetWindowTextA                                  76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetAsyncKeyState                                7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetWindowTextW                                  7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!CreateWindowExA                                 7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowsHookExW                               7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!CreateWindowExW                                 7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!ShowWindow                                      7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!ShowWindow + 4                                  7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWinEventHook                                 766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyState                                     76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DrawTextW                                       76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowTextW                                  7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DrawTextA                                       7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowTextA                                  76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyboardState                                76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!GetKeyboardState + 4                            7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!SetWindowsHookExA                               76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!DdeConnect                                      7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] USER32.dll!EndTask                                         7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!DeleteDC                                         77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!GetPixel                                         77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!CreateDCA                                        77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] GDI32.dll!CreateDCW                                        77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenSCManagerW                                7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyA                                   7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyA                                 7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueA                                7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegDeleteKeyW                                 767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyExA                               767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegSetValueExA                                76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegSetValueExW                                76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyW                                 76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyW                                   767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenSCManagerA                                76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LookupPrivilegeValueA                         76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegCreateKeyExW                               7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!AdjustTokenPrivileges                         7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LookupPrivilegeValueW                         76724133 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!OpenProcessToken                              76724284 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueW                                76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueW + 4                            76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyExW                                 7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueExW                              7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegQueryValueExA                              7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegOpenKeyExA                                 76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateServiceW                                767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!RegDeleteKeyA                                 7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateProcessAsUserA                          76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!CreateServiceA                                76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] ADVAPI32.dll!LsaRemoveAccountRights                        767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteW                                  76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!Shell_NotifyIconW                              76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteExW                                76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteEx                                 7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!ShellExecuteA                                  77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4068] SHELL32.dll!Shell_NotifyIcon                               77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtAlpcSendWaitReceivePort           77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtClose                             77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtLoadDriver                        77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtLoadDriver + 4                    77C85B9C 2 Bytes  [5F, 71]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtSuspendProcess                    77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!NtSuspendProcess + 4                77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!LdrUnloadDll                        77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ntdll.dll!LdrLoadDll                          77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessW                   767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessA                   767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateProcessAsUserW             767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileW                        767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileExW                      767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateToolhelp32Snapshot         767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenMutexA                       767F0412 6 Bytes  JMP 70C1000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeleteFileW                      767F1737 6 Bytes  JMP 70A9000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!TerminateProcess                 767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualProtect                   767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateMutexW                     767F33D6 6 Bytes  JMP 70C4000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeleteFileA                      767F43CA 6 Bytes  JMP 70AC000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenProcess                      767F54E7 6 Bytes  JMP 708B000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileExW                      767F8DF8 6 Bytes  JMP 708E000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateDirectoryW                 767F99D1 6 Bytes  JMP 70DC000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadResource                     767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DeviceIoControl                  767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualAlloc                     767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetProcAddress                   767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateMutexA                     767FD7C4 6 Bytes  JMP 70C7000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadLibraryA                     767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateThread                     767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateFileW                      767FE895 6 Bytes  JMP 711E000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateFileA                      767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WideCharToMultiByte              767FEEEA 6 Bytes  JMP 709A000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MultiByteToWideChar              767FEEF7 6 Bytes  JMP 70BB000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!LoadLibraryW                     767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WriteFile                        768053DE 6 Bytes  JMP 70D9000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetVolumeInformationW            76806191 6 Bytes  JMP 714B000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!OpenMutexW                       76808ECD 6 Bytes  JMP 70BE000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!TerminateThread                  7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileExA                      76813F68 6 Bytes  JMP 7091000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!GetVolumeInformationA            76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileA                        76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileW                        76816EC6 6 Bytes  JMP 7094000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateDirectoryA                 768180D5 6 Bytes  JMP 70DF000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WriteProcessMemory               7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!DebugActiveProcess               7683738C 6 Bytes  JMP 7172000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!MoveFileA                        7683BF49 6 Bytes  JMP 7097000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CopyFileExA                      7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!WinExec                          7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!CreateRemoteThread               7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!VirtualProtectEx                 7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] kernel32.dll!SetThreadContext                 768408B3 6 Bytes  JMP 70D6000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenSCManagerW                   7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyA                      7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyA                    7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueA                   7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegDeleteKeyW                    767211F2 6 Bytes  JMP 70A3000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyExA                  767213E9 6 Bytes  JMP 7148000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegSetValueExA                   76721433 6 Bytes  JMP 7130000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegSetValueExW                   76721456 6 Bytes  JMP 712D000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyW                    76721494 6 Bytes  JMP 713F000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyW                      767223D9 6 Bytes  JMP 7139000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenSCManagerA                   76722B58 6 Bytes  JMP 710C000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LookupPrivilegeValueA            76723FCA 6 Bytes  JMP 70D0000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegCreateKeyExW                  7672407E 6 Bytes  JMP 7145000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!AdjustTokenPrivileges            7672410E 6 Bytes  JMP 70CA000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LookupPrivilegeValueW            76724133 6 Bytes  JMP 70CD000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!OpenProcessToken                 76724284 6 Bytes  JMP 70D3000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueW                   76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueW + 4               76724438 2 Bytes  [26, 71]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyExW                    7672460D 6 Bytes  JMP 7133000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueExW                 7672462D 6 Bytes  JMP 7121000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegQueryValueExA                 7672486F 6 Bytes  JMP 7124000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegOpenKeyExA                    76724887 6 Bytes  JMP 7136000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateServiceW                   767370C4 6 Bytes  JMP 715A000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!RegDeleteKeyA                    7673A84F 6 Bytes  JMP 70A6000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateProcessAsUserA             76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!CreateServiceA                   76753264 6 Bytes  JMP 715D000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] ADVAPI32.dll!LsaRemoveAccountRights           767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!DeleteDC                            77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!GetPixel                            77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!CreateDCA                           77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] GDI32.dll!CreateDCW                           77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!RegisterRawInputDevices            76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!RegisterRawInputDevices + 4        76635B56 2 Bytes  [53, 71]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetWindowTextA                     76636EED 6 Bytes  JMP 7106000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetAsyncKeyState                   7663A256 6 Bytes  JMP 716C000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetWindowTextW                     7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!CreateWindowExA                    7663BF40 6 Bytes  JMP 70B2000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowsHookExW                  7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!CreateWindowExW                    7663EC7C 6 Bytes  JMP 70AF000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!ShowWindow                         7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!ShowWindow + 4                     7663F2AD 2 Bytes  [FF, 70]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWinEventHook                    766424DC 6 Bytes  JMP 7157000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyState                        76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DrawTextW                          76645B6A 6 Bytes  JMP 70B5000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowTextW                     7664612B 6 Bytes  JMP 709D000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DrawTextA                          7665AE29 6 Bytes  JMP 70B8000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowTextA                     76660C5B 6 Bytes  JMP 70A0000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyboardState                   76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!GetKeyboardState + 4               7666694A 2 Bytes  [68, 71]
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!SetWindowsHookExA                  76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!DdeConnect                         7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] USER32.dll!EndTask                            7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] WININET.dll!InternetOpenUrlA                  7696E1C6 6 Bytes  JMP 70E5000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] WININET.dll!InternetOpenUrlW                  769CDC08 6 Bytes  JMP 70E2000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteW                     76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!Shell_NotifyIconW                 76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteExW                   76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteEx                    7709748A 6 Bytes  JMP 7184000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!ShellExecuteA                     77097525 6 Bytes  JMP 718A000A 
.text           C:\Program Files\Common Files\Java\Java Update\jusched.exe[4076] SHELL32.dll!Shell_NotifyIcon                  77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\notepad.exe[4420] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\notepad.exe[4420] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\notepad.exe[4420] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\notepad.exe[4420] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\notepad.exe[4420] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           E:\Defogger.exe[4716] ntdll.dll!NtAlpcSendWaitReceivePort                                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] ntdll.dll!NtClose                                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] ntdll.dll!NtLoadDriver                                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] ntdll.dll!NtLoadDriver + 4                                                               77C85B9C 2 Bytes  [5F, 71]
.text           E:\Defogger.exe[4716] ntdll.dll!NtSuspendProcess                                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] ntdll.dll!NtSuspendProcess + 4                                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           E:\Defogger.exe[4716] ntdll.dll!LdrUnloadDll                                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] ntdll.dll!LdrLoadDll                                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] kernel32.dll!CreateProcessW                                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] kernel32.dll!CreateProcessA                                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] kernel32.dll!CreateProcessAsUserW                                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] kernel32.dll!CopyFileW                                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CopyFileExW                                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateToolhelp32Snapshot                                                    767EFD29 6 Bytes  JMP 7118000A 
.text           E:\Defogger.exe[4716] kernel32.dll!OpenMutexA                                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           E:\Defogger.exe[4716] kernel32.dll!DeleteFileW                                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           E:\Defogger.exe[4716] kernel32.dll!TerminateProcess                                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           E:\Defogger.exe[4716] kernel32.dll!VirtualProtect                                                              767F2C15 6 Bytes  JMP 710F000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateMutexW                                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           E:\Defogger.exe[4716] kernel32.dll!DeleteFileA                                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           E:\Defogger.exe[4716] kernel32.dll!OpenProcess                                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           E:\Defogger.exe[4716] kernel32.dll!MoveFileExW                                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateDirectoryW                                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           E:\Defogger.exe[4716] kernel32.dll!LoadResource                                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           E:\Defogger.exe[4716] kernel32.dll!DeviceIoControl                                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           E:\Defogger.exe[4716] kernel32.dll!VirtualAlloc                                                                767FC42A 6 Bytes  JMP 7112000A 
.text           E:\Defogger.exe[4716] kernel32.dll!GetProcAddress                                                              767FCC84 6 Bytes  JMP 7151000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateMutexA                                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           E:\Defogger.exe[4716] kernel32.dll!LoadLibraryA                                                                767FDC55 6 Bytes  JMP 719E000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateThread                                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateFileW                                                                 767FE895 6 Bytes  JMP 711E000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateFileA                                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           E:\Defogger.exe[4716] kernel32.dll!WideCharToMultiByte                                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           E:\Defogger.exe[4716] kernel32.dll!MultiByteToWideChar                                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           E:\Defogger.exe[4716] kernel32.dll!LoadLibraryW                                                                767FEF32 6 Bytes  JMP 719B000A 
.text           E:\Defogger.exe[4716] kernel32.dll!WriteFile                                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           E:\Defogger.exe[4716] kernel32.dll!GetVolumeInformationW                                                       76806191 6 Bytes  JMP 714B000A 
.text           E:\Defogger.exe[4716] kernel32.dll!OpenMutexW                                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           E:\Defogger.exe[4716] kernel32.dll!TerminateThread                                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           E:\Defogger.exe[4716] kernel32.dll!MoveFileExA                                                                 76813F68 6 Bytes  JMP 7097000A 
.text           E:\Defogger.exe[4716] kernel32.dll!GetVolumeInformationA                                                       76815CB2 6 Bytes  JMP 714E000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CopyFileA                                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           E:\Defogger.exe[4716] kernel32.dll!MoveFileW                                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateDirectoryA                                                            768180D5 6 Bytes  JMP 70E5000A 
.text           E:\Defogger.exe[4716] kernel32.dll!WriteProcessMemory                                                          7681958F 6 Bytes  JMP 71A1000A 
.text           E:\Defogger.exe[4716] kernel32.dll!DebugActiveProcess                                                          7683738C 6 Bytes  JMP 7172000A 
.text           E:\Defogger.exe[4716] kernel32.dll!MoveFileA                                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CopyFileExA                                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           E:\Defogger.exe[4716] kernel32.dll!WinExec                                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           E:\Defogger.exe[4716] kernel32.dll!CreateRemoteThread                                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           E:\Defogger.exe[4716] kernel32.dll!VirtualProtectEx                                                            7683FD39 6 Bytes  JMP 7163000A 
.text           E:\Defogger.exe[4716] kernel32.dll!SetThreadContext                                                            768408B3 6 Bytes  JMP 70DC000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!OpenSCManagerW                                                              7671CA04 6 Bytes  JMP 7109000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyA                                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyA                                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueA                                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegDeleteKeyW                                                               767211F2 6 Bytes  JMP 70A9000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyExA                                                             767213E9 6 Bytes  JMP 7148000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegSetValueExA                                                              76721433 6 Bytes  JMP 7130000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegSetValueExW                                                              76721456 6 Bytes  JMP 712D000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyW                                                               76721494 6 Bytes  JMP 713F000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyW                                                                 767223D9 6 Bytes  JMP 7139000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!OpenSCManagerA                                                              76722B58 6 Bytes  JMP 710C000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!LookupPrivilegeValueA                                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegCreateKeyExW                                                             7672407E 6 Bytes  JMP 7145000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!AdjustTokenPrivileges                                                       7672410E 6 Bytes  JMP 70D0000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!LookupPrivilegeValueW                                                       76724133 6 Bytes  JMP 70D3000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!OpenProcessToken                                                            76724284 6 Bytes  JMP 70D9000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueW                                                              76724434 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueW + 4                                                          76724438 2 Bytes  [26, 71]
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyExW                                                               7672460D 6 Bytes  JMP 7133000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueExW                                                            7672462D 6 Bytes  JMP 7121000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegQueryValueExA                                                            7672486F 6 Bytes  JMP 7124000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegOpenKeyExA                                                               76724887 6 Bytes  JMP 7136000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!CreateServiceW                                                              767370C4 6 Bytes  JMP 715A000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!RegDeleteKeyA                                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!CreateProcessAsUserA                                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!CreateServiceA                                                              76753264 6 Bytes  JMP 715D000A 
.text           E:\Defogger.exe[4716] ADVAPI32.DLL!LsaRemoveAccountRights                                                      767589F1 6 Bytes  JMP 71A7000A 
.text           E:\Defogger.exe[4716] USER32.dll!RegisterRawInputDevices                                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] USER32.dll!RegisterRawInputDevices + 4                                                   76635B56 2 Bytes  [53, 71]
.text           E:\Defogger.exe[4716] USER32.dll!GetWindowTextA                                                                76636EED 6 Bytes  JMP 7106000A 
.text           E:\Defogger.exe[4716] USER32.dll!GetAsyncKeyState                                                              7663A256 6 Bytes  JMP 716C000A 
.text           E:\Defogger.exe[4716] USER32.dll!GetWindowTextW                                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           E:\Defogger.exe[4716] USER32.dll!CreateWindowExA                                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           E:\Defogger.exe[4716] USER32.dll!SetWindowsHookExW                                                             7663E30C 6 Bytes  JMP 7195000A 
.text           E:\Defogger.exe[4716] USER32.dll!CreateWindowExW                                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           E:\Defogger.exe[4716] USER32.dll!ShowWindow                                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] USER32.dll!ShowWindow + 4                                                                7663F2AD 2 Bytes  [FF, 70]
.text           E:\Defogger.exe[4716] USER32.dll!SetWinEventHook                                                               766424DC 6 Bytes  JMP 7157000A 
.text           E:\Defogger.exe[4716] USER32.dll!GetKeyState                                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           E:\Defogger.exe[4716] USER32.dll!DrawTextW                                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           E:\Defogger.exe[4716] USER32.dll!SetWindowTextW                                                                7664612B 6 Bytes  JMP 70A3000A 
.text           E:\Defogger.exe[4716] USER32.dll!DrawTextA                                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           E:\Defogger.exe[4716] USER32.dll!SetWindowTextA                                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           E:\Defogger.exe[4716] USER32.dll!GetKeyboardState                                                              76666946 3 Bytes  [FF, 25, 1E]
.text           E:\Defogger.exe[4716] USER32.dll!GetKeyboardState + 4                                                          7666694A 2 Bytes  [68, 71]
.text           E:\Defogger.exe[4716] USER32.dll!SetWindowsHookExA                                                             76666D0C 6 Bytes  JMP 7198000A 
.text           E:\Defogger.exe[4716] USER32.dll!DdeConnect                                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           E:\Defogger.exe[4716] USER32.dll!EndTask                                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           E:\Defogger.exe[4716] GDI32.dll!DeleteDC                                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] GDI32.dll!GetPixel                                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] GDI32.dll!CreateDCA                                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] GDI32.dll!CreateDCW                                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteW                                                                76E63C31 6 Bytes  JMP 7187000A 
.text           E:\Defogger.exe[4716] SHELL32.dll!Shell_NotifyIconW                                                            76E70171 6 Bytes  JMP 70EB000A 
.text           E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteExW                                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteEx                                                               7709748A 6 Bytes  JMP 7184000A 
.text           E:\Defogger.exe[4716] SHELL32.dll!ShellExecuteA                                                                77097525 6 Bytes  JMP 718A000A 
.text           E:\Defogger.exe[4716] SHELL32.dll!Shell_NotifyIcon                                                             77098F9E 6 Bytes  JMP 70EE000A
         

Alt 21.02.2014, 22:24   #15
gini57
 
Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht - Standard

Windows 7: Bluescreen nach Start,Wiederherstellung erfolgreich aber Malwareverdacht



gmer11_5584-5934.txt

Code:
ATTFilter
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtAlpcSendWaitReceivePort                                      77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtClose                                                        77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtLoadDriver                                                   77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtLoadDriver + 4                                               77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtSuspendProcess                                               77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!NtSuspendProcess + 4                                           77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!LdrUnloadDll                                                   77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] ntdll.dll!LdrLoadDll                                                     77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessW                                              767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessA                                              767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateProcessAsUserW                                        767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileW                                                   767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileExW                                                 767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateToolhelp32Snapshot                                    767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenMutexA                                                  767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeleteFileW                                                 767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!TerminateProcess                                            767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualProtect                                              767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateMutexW                                                767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeleteFileA                                                 767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenProcess                                                 767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileExW                                                 767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateDirectoryW                                            767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadResource                                                767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!DeviceIoControl                                             767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualAlloc                                                767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetProcAddress                                              767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateMutexA                                                767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadLibraryA                                                767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateThread                                                767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateFileW                                                 767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateFileA                                                 767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!WideCharToMultiByte                                         767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!MultiByteToWideChar                                         767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!LoadLibraryW                                                767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!WriteFile                                                   768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetVolumeInformationW                                       76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!OpenMutexW                                                  76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!TerminateThread                                             7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileExA                                                 76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!GetVolumeInformationA                                       76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileA                                                   76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileW                                                   76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateDirectoryA                                            768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!WriteProcessMemory                                          7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!DebugActiveProcess                                          7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!MoveFileA                                                   7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CopyFileExA                                                 7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!WinExec                                                     7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!CreateRemoteThread                                          7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!VirtualProtectEx                                            7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\conhost.exe[4732] kernel32.dll!SetThreadContext                                            768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\conhost.exe[4732] GDI32.dll!DeleteDC                                                       77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] GDI32.dll!GetPixel                                                       77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] GDI32.dll!CreateDCA                                                      77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] GDI32.dll!CreateDCW                                                      77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!RegisterRawInputDevices                                       76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!RegisterRawInputDevices + 4                                   76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetWindowTextA                                                76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetAsyncKeyState                                              7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetWindowTextW                                                7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!CreateWindowExA                                               7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowsHookExW                                             7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!CreateWindowExW                                               7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!ShowWindow                                                    7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!ShowWindow + 4                                                7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWinEventHook                                               766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyState                                                   76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!DrawTextW                                                     76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowTextW                                                7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!DrawTextA                                                     7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowTextA                                                76660C5B 6 Bytes  JMP 70A6000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyboardState                                              76666946 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!GetKeyboardState + 4                                          7666694A 2 Bytes  [68, 71]
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!SetWindowsHookExA                                             76666D0C 6 Bytes  JMP 7198000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!DdeConnect                                                    7667EB5B 6 Bytes  JMP 7166000A 
.text           C:\Windows\system32\conhost.exe[4732] USER32.dll!EndTask                                                       7667FD66 6 Bytes  JMP 717B000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenSCManagerW                                              7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyA                                                 7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyA                                               7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueA                                              7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegDeleteKeyW                                               767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyExA                                             767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegSetValueExA                                              76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegSetValueExW                                              76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyW                                               76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyW                                                 767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenSCManagerA                                              76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LookupPrivilegeValueA                                       76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegCreateKeyExW                                             7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!AdjustTokenPrivileges                                       7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LookupPrivilegeValueW                                       76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!OpenProcessToken                                            76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueW                                              76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueW + 4                                          76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyExW                                               7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueExW                                            7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegQueryValueExA                                            7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegOpenKeyExA                                               76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateServiceW                                              767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!RegDeleteKeyA                                               7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateProcessAsUserA                                        76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!CreateServiceA                                              76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\conhost.exe[4732] ADVAPI32.dll!LsaRemoveAccountRights                                      767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteW                                                76E63C31 6 Bytes  JMP 7187000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!Shell_NotifyIconW                                            76E70171 6 Bytes  JMP 70EB000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteExW                                              76E71DF6 6 Bytes  JMP 7181000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteEx                                               7709748A 6 Bytes  JMP 7184000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!ShellExecuteA                                                77097525 6 Bytes  JMP 718A000A 
.text           C:\Windows\system32\conhost.exe[4732] SHELL32.dll!Shell_NotifyIcon                                             77098F9E 6 Bytes  JMP 70EE000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtAlpcSendWaitReceivePort                                    77C85458 5 Bytes  JMP 1002B670 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtClose                                                      77C85508 5 Bytes  JMP 1001D120 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtLoadDriver                                                 77C85B98 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtLoadDriver + 4                                             77C85B9C 2 Bytes  [5F, 71]
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtSuspendProcess                                             77C868C8 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!NtSuspendProcess + 4                                         77C868CC 2 Bytes  [77, 71] {JA 0x73}
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!LdrUnloadDll                                                 77C9C8DE 7 Bytes  JMP 1001D240 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] ntdll.dll!LdrLoadDll                                                   77CA22AE 5 Bytes  JMP 10027F40 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessW                                            767B204D 5 Bytes  JMP 10025070 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessA                                            767B2082 5 Bytes  JMP 10025C00 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateProcessAsUserW                                      767E59FF 5 Bytes  JMP 10023BA0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileW                                                 767E6B3F 6 Bytes  JMP 70F7000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileExW                                               767EB280 6 Bytes  JMP 70F1000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateToolhelp32Snapshot                                  767EFD29 6 Bytes  JMP 7118000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenMutexA                                                767F0412 6 Bytes  JMP 70C7000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeleteFileW                                               767F1737 6 Bytes  JMP 70AF000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!TerminateProcess                                          767F2C05 6 Bytes  JMP 71A4000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualProtect                                            767F2C15 6 Bytes  JMP 710F000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateMutexW                                              767F33D6 6 Bytes  JMP 70CA000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeleteFileA                                               767F43CA 6 Bytes  JMP 70B2000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenProcess                                               767F54E7 6 Bytes  JMP 7091000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileExW                                               767F8DF8 6 Bytes  JMP 7094000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateDirectoryW                                          767F99D1 6 Bytes  JMP 70E2000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadResource                                              767F9CBA 6 Bytes  JMP 70FD000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DeviceIoControl                                           767FB96D 6 Bytes  JMP 70E8000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualAlloc                                              767FC42A 6 Bytes  JMP 7112000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetProcAddress                                            767FCC84 6 Bytes  JMP 7151000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateMutexA                                              767FD7C4 6 Bytes  JMP 70CD000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadLibraryA                                              767FDC55 6 Bytes  JMP 719E000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateThread                                              767FDCB2 6 Bytes  JMP 7115000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateFileW                                               767FE895 6 Bytes  JMP 711E000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateFileA                                               767FEA51 6 Bytes  JMP 711B000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WideCharToMultiByte                                       767FEEEA 6 Bytes  JMP 70A0000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MultiByteToWideChar                                       767FEEF7 6 Bytes  JMP 70C1000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!LoadLibraryW                                              767FEF32 6 Bytes  JMP 719B000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WriteFile                                                 768053DE 6 Bytes  JMP 70DF000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetVolumeInformationW                                     76806191 6 Bytes  JMP 714B000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!OpenMutexW                                                76808ECD 6 Bytes  JMP 70C4000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!TerminateThread                                           7680BBF1 6 Bytes  JMP 7175000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileExA                                               76813F68 6 Bytes  JMP 7097000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!GetVolumeInformationA                                     76815CB2 6 Bytes  JMP 714E000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileA                                                 76816D4A 6 Bytes  JMP 70FA000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileW                                                 76816EC6 6 Bytes  JMP 709A000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateDirectoryA                                          768180D5 6 Bytes  JMP 70E5000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WriteProcessMemory                                        7681958F 6 Bytes  JMP 71A1000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!DebugActiveProcess                                        7683738C 6 Bytes  JMP 7172000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!MoveFileA                                                 7683BF49 6 Bytes  JMP 709D000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CopyFileExA                                               7683CDA1 6 Bytes  JMP 70F4000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!WinExec                                                   7683ED9E 6 Bytes  JMP 717E000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!CreateRemoteThread                                        7683FADB 6 Bytes  JMP 71AE000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!VirtualProtectEx                                          7683FD39 6 Bytes  JMP 7163000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] kernel32.dll!SetThreadContext                                          768408B3 6 Bytes  JMP 70DC000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenSCManagerW                                            7671CA04 6 Bytes  JMP 7109000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyA                                               7671CBB5 6 Bytes  JMP 713C000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyA                                             7671CCA1 6 Bytes  JMP 7142000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueA                                            7671CDB2 5 Bytes  JMP 712A000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegDeleteKeyW                                             767211F2 6 Bytes  JMP 70A9000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyExA                                           767213E9 6 Bytes  JMP 7148000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegSetValueExA                                            76721433 6 Bytes  JMP 7130000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegSetValueExW                                            76721456 6 Bytes  JMP 712D000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyW                                             76721494 6 Bytes  JMP 713F000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyW                                               767223D9 6 Bytes  JMP 7139000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenSCManagerA                                            76722B58 6 Bytes  JMP 710C000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LookupPrivilegeValueA                                     76723FCA 6 Bytes  JMP 70D6000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegCreateKeyExW                                           7672407E 6 Bytes  JMP 7145000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!AdjustTokenPrivileges                                     7672410E 6 Bytes  JMP 70D0000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LookupPrivilegeValueW                                     76724133 6 Bytes  JMP 70D3000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!OpenProcessToken                                          76724284 6 Bytes  JMP 70D9000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueW                                            76724434 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueW + 4                                        76724438 2 Bytes  [26, 71]
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyExW                                             7672460D 6 Bytes  JMP 7133000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueExW                                          7672462D 6 Bytes  JMP 7121000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegQueryValueExA                                          7672486F 6 Bytes  JMP 7124000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegOpenKeyExA                                             76724887 6 Bytes  JMP 7136000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateServiceW                                            767370C4 6 Bytes  JMP 715A000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!RegDeleteKeyA                                             7673A84F 6 Bytes  JMP 70AC000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateProcessAsUserA                                      76752642 5 Bytes  JMP 100244D0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!CreateServiceA                                            76753264 6 Bytes  JMP 715D000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] ADVAPI32.dll!LsaRemoveAccountRights                                    767589F1 6 Bytes  JMP 71A7000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!DeleteDC                                                     77DF6EAA 5 Bytes  JMP 10028D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!GetPixel                                                     77DFC3D5 5 Bytes  JMP 10028AE0 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!CreateDCA                                                    77DFCCA9 5 Bytes  JMP 10029E10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] GDI32.dll!CreateDCW                                                    77DFCF79 5 Bytes  JMP 10029D10 C:\Windows\system32\guard32.dll
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!RegisterRawInputDevices                                     76635B52 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!RegisterRawInputDevices + 4                                 76635B56 2 Bytes  [53, 71]
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetWindowTextA                                              76636EED 6 Bytes  JMP 7106000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetAsyncKeyState                                            7663A256 6 Bytes  JMP 716C000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetWindowTextW                                              7663B8C5 6 Bytes  JMP 7103000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!CreateWindowExA                                             7663BF40 6 Bytes  JMP 70B8000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowsHookExW                                           7663E30C 6 Bytes  JMP 7195000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!CreateWindowExW                                             7663EC7C 6 Bytes  JMP 70B5000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!ShowWindow                                                  7663F2A9 3 Bytes  [FF, 25, 1E]
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!ShowWindow + 4                                              7663F2AD 2 Bytes  [FF, 70]
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWinEventHook                                             766424DC 6 Bytes  JMP 7157000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!GetKeyState                                                 76642B4D 6 Bytes  JMP 716F000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!DrawTextW                                                   76645B6A 6 Bytes  JMP 70BB000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!SetWindowTextW                                              7664612B 6 Bytes  JMP 70A3000A 
.text           C:\Windows\system32\UI0Detect.exe[4824] USER32.dll!DrawTextA                                                   7665AE29 6 Bytes  JMP 70BE000A 
.text           C:\Windows\system3